High severity7.5NVD Advisory· Published Feb 27, 2026· Updated Apr 15, 2026
CVE-2026-2428
CVE-2026-2428
Description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (disable_ipn_verification defaults to 'yes' in PayPalSettings.php). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=6.
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.