Description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
Published: 2026-02-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Payment Status Modification
Action: Patch Now
AI Analysis

Impact

The flaw arises because the plugin disables PayPal IPN verification by default. Unauthenticated attackers can send crafted IPN messages to the publicly reachable endpoint, causing the system to treat unpaid submissions as paid and trigger post‑payment actions like emails, access grants, or digital product deliveries. This effectively bypasses payment verification and enables unauthorized access or financial exploitation.

Affected Systems

All WordPress sites running the Fluent Forms Pro Add On Pack plugin version 6.1.17 or earlier are affected. The plugin is distributed by TechJewel and is a popular add‑on for the Fluent Forms plugin.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at the moment. However, the attack can be performed remotely over the public IPN endpoint without authentication, and once the IPN flow is mis‑verified, downstream automation could deliver products or give privileged access. Because it is not yet in the KEV catalog, a broader public campaign is not confirmed, but the potential impact warrants timely remediation.

Generated by OpenCVE AI on April 15, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fluent Forms Pro Add On Pack version 6.1.18 or later.
  • If upgrading is not possible, enable IPN verification by setting disable_ipn_verification to 'no' in PayPalSettings.php.
  • Review IPN logs for unexpected POST requests and consider restricting the IPN endpoint to PayPal IP ranges or applying firewall rules.

Generated by OpenCVE AI on April 15, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Techjewel
Techjewel fluent Forms Pro Add On Pack
Wordpress
Wordpress wordpress
Vendors & Products Techjewel
Techjewel fluent Forms Pro Add On Pack
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
Title Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification
Weaknesses CWE-345
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Techjewel Fluent Forms Pro Add On Pack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:56.825Z

Reserved: 2026-02-12T20:48:34.727Z

Link: CVE-2026-2428

cve-icon Vulnrichment

Updated: 2026-02-27T15:49:47.664Z

cve-icon NVD

Status : Deferred

Published: 2026-02-27T04:16:03.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2428

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses