CVE-2026-2428

{"id": "CVE-2026-2428", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-02-27T04:16:03.600", "references": [{"url": "https://fluentforms.com/docs/changelog/#2-toc-title", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-345"}]}], "descriptions": [{"lang": "en", "value": "The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as \"paid\" and triggering post-payment automation (emails, access grants, digital product delivery)."}, {"lang": "es", "value": "El plugin Fluent Forms Pro Add On Pack para WordPress es vulnerable a la Verificaci\u00f3n Insuficiente de Autenticidad de Datos en todas las versiones hasta la 6.1.17, inclusive. Esto se debe a que la verificaci\u00f3n de PayPal IPN (Notificaci\u00f3n Instant\u00e1nea de Pago) est\u00e1 deshabilitada por defecto (disable_ipn_verification tiene un valor predeterminado de 'yes' en PayPalSettings.php). Esto permite que atacantes no autenticados env\u00eden notificaciones PayPal IPN falsificadas al endpoint IPN de acceso p\u00fablico, marcando las entregas de formularios no pagadas como 'pagadas' y activando la automatizaci\u00f3n posterior al pago (correos electr\u00f3nicos, concesi\u00f3n de accesos, entrega de productos digitales)."}], "lastModified": "2026-02-27T14:06:37.987", "sourceIdentifier": "security@wordfence.com"}