{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2428", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-12T20:48:34.727Z", "datePublished": "2026-02-27T03:23:19.329Z", "dateUpdated": "2026-04-08T17:29:56.825Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:56.825Z"}, "affected": [{"vendor": "techjewel", "product": "Fluent Forms Pro Add On Pack", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.1.17", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as \"paid\" and triggering post-payment automation (emails, access grants, digital product delivery)."}], "title": "Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve"}, {"url": "https://fluentforms.com/docs/changelog/#2-toc-title"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-345 Insufficient Verification of Data Authenticity", "cweId": "CWE-345", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Prickly Cactus"}], "timeline": [{"time": "2026-02-12T21:03:48.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-26T14:33:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T15:49:08.291600Z", "id": "CVE-2026-2428", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:49:59.392Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2428", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T15:49:08.291600Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:49:47.664Z"}}], "cna": {"title": "Fluent Forms Pro Add On Pack <= 6.1.17 - Missing Authorization to Unauthenticated Payment Status modification", "credits": [{"lang": "en", "type": "finder", "value": "Prickly Cactus"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}}], "affected": [{"vendor": "techjewel", "product": "Fluent Forms Pro Add On Pack", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.1.17"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-12T21:03:48.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-26T14:33:15.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve"}, {"url": "https://fluentforms.com/docs/changelog/#2-toc-title"}], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as \"paid\" and triggering post-payment automation (emails, access grants, digital product delivery)."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:29:56.825Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2428", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:29:56.825Z", "dateReserved": "2026-02-12T20:48:34.727Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-27T03:23:19.329Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as \"paid\" and triggering post-payment automation (emails, access grants, digital product delivery)."}, {"lang": "es", "value": "El plugin Fluent Forms Pro Add On Pack para WordPress es vulnerable a la Verificaci\u00f3n Insuficiente de Autenticidad de Datos en todas las versiones hasta la 6.1.17, inclusive. Esto se debe a que la verificaci\u00f3n de PayPal IPN (Notificaci\u00f3n Instant\u00e1nea de Pago) est\u00e1 deshabilitada por defecto (disable_ipn_verification tiene un valor predeterminado de 'yes' en PayPalSettings.php). Esto permite que atacantes no autenticados env\u00eden notificaciones PayPal IPN falsificadas al endpoint IPN de acceso p\u00fablico, marcando las entregas de formularios no pagadas como 'pagadas' y activando la automatizaci\u00f3n posterior al pago (correos electr\u00f3nicos, concesi\u00f3n de accesos, entrega de productos digitales)."}], "id": "CVE-2026-2428", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-27T04:16:03.600", "references": [{"source": "security@wordfence.com", "url": "https://fluentforms.com/docs/changelog/#2-toc-title"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Fluent Forms Pro Add On Pack", "source": "cna", "vendor": "techjewel"}, "product": "fluent_forms_pro_add_on_pack", "vendor": "techjewel"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T16:52:50.169885+00:00", "value": {"mitigation_remediation": ["Upgrade to Fluent Forms Pro Add On Pack version 6.1.18 or later.", "If upgrading is not possible, enable IPN verification by setting disable_ipn_verification to 'no' in PayPalSettings.php.", "Review IPN logs for unexpected POST requests and consider restricting the IPN endpoint to PayPal IP ranges or applying firewall rules."], "summary": {"action": "Patch Now", "impact": "Unauthenticated Payment Status Modification"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the Fluent Forms Pro Add On Pack plugin version 6.1.17 or earlier are affected. The plugin is distributed by TechJewel and is a popular add\u2011on for the Fluent Forms plugin.", "description_and_impact": "The flaw arises because the plugin disables PayPal IPN verification by default. Unauthenticated attackers can send crafted IPN messages to the publicly reachable endpoint, causing the system to treat unpaid submissions as paid and trigger post\u2011payment actions like emails, access grants, or digital product deliveries. This effectively bypasses payment verification and enables unauthorized access or financial exploitation.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.5, indicating high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at the moment. However, the attack can be performed remotely over the public IPN endpoint without authentication, and once the IPN flow is mis\u2011verified, downstream automation could deliver products or give privileged access. Because it is not yet in the KEV catalog, a broader public campaign is not confirmed, but the potential impact warrants timely remediation."}}}}, "created": "2026-02-27T16:06:15.610600+00:00", "updated": "2026-04-15T17:00:07.071321+00:00", "vendors": ["techjewel", "techjewel$PRODUCT$fluent_forms_pro_add_on_pack", "wordpress", "wordpress$PRODUCT$wordpress"]}