Insufficient Data Verification Vulnerability in Fluent Forms Pro Add On Pack by WordPress
CVE-2026-2428
7.5HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 27 February 2026
What is CVE-2026-2428?
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable due to the default configuration of the PayPal IPN verification feature, which is disabled. This configuration allows unauthenticated attackers to exploit the IPN endpoint, sending forged notifications that can falsely mark unpaid submissions as 'paid'. This vulnerability can lead to unauthorized access, triggering post-payment actions such as email dispatches and digital product deliveries without legitimate payment confirmation.
Affected Version(s)
Fluent Forms Pro Add On Pack 0 <= 6.1.17