CVE-2026-2428 in Fluent Forms Pro Add On Pack Plugininfo

Summary

by MITRE • 02/27/2026

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Disclosure

02/27/2026

Moderation

accepted

Entry

VDB-348008

CPE

ready

CWE

CWE-862 (confirmed)

CVSS

6.5 (VulDB)

EPSS

0.00035

KEV

Activities

very low

Sector

Hostingprovider

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-2428
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-2428
CVE Details	https://www.cvedetails.com/cve/CVE-2026-2428/

◂ Previous Overview Next ▸

Interested in the pricing of exploits?

See the underground prices here!