Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Fluent Forms Pro WordPress plugin vulnerable to fake payment notifications
CVE-2026-2428
Summary
The Fluent Forms Pro plugin for WordPress has a security issue that allows hackers to trick the system into thinking payments were made, even if they weren't. This can lead to unwanted emails and automatic access grants. Update the plugin to a version higher than 6.1.17 to fix this issue.
Original title
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (In...
Original description
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).
nvd CVSS3.1
7.5
Vulnerability type
CWE-345
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026