Cyber Resilience

CVE-2026-2428

High

Published: 27 February 2026

Published
27 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0003 10.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2428 is a high-severity Insufficient Verification of Data Authenticity (CWE-345) vulnerability in Fluentforms (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2026-2428 is an Insufficient Verification of Data Authenticity vulnerability (CWE-345) in the Fluent Forms Pro Add On Pack plugin for WordPress, affecting all versions up to and including 6.1.17. The issue arises because PayPal Instant Payment Notification (IPN) verification is disabled by default, with the `disable_ipn_verification` setting defaulting to `'yes'` in `PayPalSettings.php`. This configuration exposes a publicly accessible IPN endpoint to forged notifications without authenticity checks.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). By sending crafted PayPal IPN messages to the endpoint, attackers can falsely mark unpaid form submissions as "paid," thereby triggering post-payment automations such as sending emails, granting user access, or delivering digital products.

Advisories and patch information are detailed in the Fluent Forms changelog at https://fluentforms.com/docs/changelog/#2-toc-title and Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065e664b0d?source=cve, published on 2026-02-27.

EU & UK References

Vulnerability details

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by…

more

default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of unauthenticated public IPN endpoint due to missing authenticity verification in a web-facing WordPress plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35051Shared CWE-345
CVE-2025-1108Shared CWE-345
CVE-2025-15385Shared CWE-345
CVE-2025-63910Shared CWE-345
CVE-2026-33143Shared CWE-345
CVE-2026-24772Shared CWE-345
CVE-2026-24775Shared CWE-345
CVE-2026-43534Shared CWE-345
CVE-2026-25474Shared CWE-345
CVE-2026-28454Shared CWE-345

Affected Assets

Fluentforms
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires secure configuration settings for the PayPal IPN verification to be enabled, directly countering the default insecure `disable_ipn_verification` setting that allows forged notifications.

prevent

Mandates protective safeguards for publicly accessible machine-to-machine interfaces like the IPN endpoint to prevent unauthorized forged payment notifications.

prevent

Enforces identification and authentication of external services such as PayPal for system-to-system connections, ensuring IPN notifications are authentic before processing.

References