Vulnerabilities ›

CVE-2026-2428

High

CWE-345 — Weakness Type

                    Published: Feb 27, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.1.17. This is due to the PayPal IPN (Instant Payment Notification) verification being disabled by default (`disable_ipn_verification` defaults to `'yes'` in `PayPalSettings.php`). This makes it possible for unauthenticated attackers to send forged PayPal IPN notifications to the publicly accessible IPN endpoint, marking unpaid form submissions as "paid" and triggering post-payment automation (emails, access grants, digital product delivery).

🤖 AI Executive Summary

Fluent Forms Pro Add On Pack plugin for WordPress (versions up to 6.1.17) has a critical payment verification vulnerability where PayPal IPN verification is disabled by default, allowing unauthenticated attackers to forge payment notifications. This enables attackers to mark unpaid submissions as paid, bypass payment requirements, and trigger post-payment automations including unauthorized access grants and digital product delivery. The vulnerability affects any WordPress site using this plugin with e-commerce or payment-gated content functionality.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 4, 2026 14:17

🇸🇦 Saudi Arabia Impact Assessment

High impact for Saudi e-commerce and fintech sectors. Affected organizations include: (1) Banking sector — financial institutions using WordPress for payment processing or loan applications; (2) Government agencies — SAMA-regulated entities processing payments or digital services; (3) E-commerce platforms — Saudi retailers and online marketplaces using Fluent Forms for checkout; (4) Healthcare — private hospitals and clinics processing patient payments; (5) Telecom/STC — digital service providers; (6) Education — universities and training centers offering paid online courses. The vulnerability directly impacts revenue integrity and regulatory compliance with SAMA payment security requirements. Organizations could face unauthorized access grants, fraudulent payment claims, and regulatory violations.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Sector E-commerce and Retail Healthcare Telecommunications Education and Training Digital Services and SaaS Payment Processing

🎯 MITRE ATT&CK Techniques

T1589 — Gather Victim Identity Information (forged payment claims) T1566 — Phishing (fraudulent payment notifications) T1578 — Modify Cloud Compute Infrastructure (unauthorized access grants) T1190 — Exploit Public-Facing Application (IPN endpoint exploitation) T1040 — Network Sniffing (IPN message interception) T1556 — Modify Authentication Process (bypass payment verification) T1021 — Remote Services (unauthorized access to gated content)

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all WordPress installations using Fluent Forms Pro Add On Pack plugin

2. Check plugin version — if version ≤ 6.1.17, treat as critical

3. Disable PayPal payment method temporarily if not immediately patchable

4. Review PayPal IPN logs for suspicious activity (forged notifications) in past 30 days

5. Audit form submissions marked as 'paid' in last 30 days for legitimacy



PATCHING:

1. Update Fluent Forms Pro Add On Pack to version 6.1.18 or later immediately

2. Verify PayPal IPN verification is ENABLED (set `disable_ipn_verification` to `'no'` in PayPalSettings.php)

3. Test PayPal IPN endpoint after patching



COMPENSATING CONTROLS (if patch delayed):

1. Implement Web Application Firewall (WAF) rules to restrict IPN endpoint access to PayPal IP ranges only

2. Add request signature validation at application level

3. Implement rate limiting on IPN endpoint

4. Enable detailed logging of all IPN requests with source IP, timestamp, and payload

5. Require manual verification of high-value transactions before fulfillment



DETECTION:

1. Monitor IPN endpoint logs for requests from non-PayPal IP addresses

2. Alert on IPN requests with invalid or missing signatures

3. Track submissions marked 'paid' without corresponding PayPal transaction records

4. Monitor for unusual patterns in payment notifications (multiple payments from same user in short timeframe)

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تحديد جميع تثبيتات WordPress التي تستخدم مكون إضافي Fluent Forms Pro Add On Pack

2. التحقق من إصدار المكون الإضافي — إذا كان الإصدار ≤ 6.1.17، فعامله كحرج

3. تعطيل طريقة الدفع عبر PayPal مؤقتاً إذا لم يكن من الممكن تصحيحها فوراً

4. مراجعة سجلات PayPal IPN للنشاط المريب (الإشعارات المزيفة) في آخر 30 يوماً

5. تدقيق تقديمات النماذج المميزة كـ 'مدفوعة' في آخر 30 يوماً للتحقق من الشرعية

التصحيح:

1. تحديث مكون إضافي Fluent Forms Pro Add On Pack إلى الإصدار 6.1.18 أو أحدث فوراً

2. التحقق من تفعيل التحقق من PayPal IPN (تعيين `disable_ipn_verification` إلى `'no'` في PayPalSettings.php)

3. اختبار نقطة نهاية PayPal IPN بعد التصحيح

الضوابط البديلة (إذا تأخر التصحيح):

1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لتقييد وصول نقطة النهاية IPN إلى نطاقات عناوين IP الخاصة بـ PayPal فقط

2. إضافة التحقق من توقيع الطلب على مستوى التطبيق

3. تنفيذ تحديد معدل على نقطة نهاية IPN

4. تفعيل تسجيل مفصل لجميع طلبات IPN مع عنوان IP المصدر والطابع الزمني والحمولة

5. طلب التحقق اليدوي من المعاملات عالية القيمة قبل الوفاء

الكشف:

1. مراقبة سجلات نقطة نهاية IPN للطلبات من عناوين IP غير PayPal

2. تنبيه على طلبات IPN بتوقيعات غير صحيحة أو مفقودة

3. تتبع التقديمات المميزة كـ 'مدفوعة' بدون سجلات معاملات PayPal المقابلة

4. مراقبة الأنماط غير العادية في إشعارات الدفع (عمليات دفع متعددة من نفس المستخدم في إطار زمني قصير)

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.14.2.1 — Information security requirements for supplier relationships (third-party plugin security) ECC 2024 A.8.2.3 — User access management and authentication ECC 2024 A.14.2.5 — Supplier security incident management ECC 2024 A.12.6.1 — Management of technical vulnerabilities

🔵 SAMA CSF

SAMA CSF 2.1 — Governance and Risk Management (payment system security) SAMA CSF 3.2 — Information Security (data authenticity and integrity) SAMA CSF 3.3 — Cryptography and Key Management (transaction verification) SAMA CSF 4.1 — Operational Resilience (payment processing continuity)

🟡 ISO 27001:2022

ISO 27001:2022 A.5.1 — Policies for information security ISO 27001:2022 A.8.1 — User access management ISO 27001:2022 A.8.2 — User access provisioning ISO 27001:2022 A.8.3 — Access rights review ISO 27001:2022 A.14.2 — Supplier relationships ISO 27001:2022 A.14.2.5 — Supplier security incident management

🟣 PCI DSS v4.0.1

PCI DSS 3.2.1 — Render PAN unreadable (payment data protection) PCI DSS 6.2 — Ensure security patches are installed PCI DSS 6.5.10 — Implement controls against broken authentication PCI DSS 10.2 — Implement automated audit trails for payment transactions

🔗 References & Sources 2

🔗

https://fluentforms.com/docs/changelog/#2-toc-title

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/e5c62e54-da06-4b44-ba70-63065...

security@wordfence.com

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityN — None / Network

IntegrityH — High

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-345

EPSS0.02%

Exploit No

Patch ✓ Yes

Published 2026-02-27

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-345

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-2428

💬 Comments

Introduce Yourself

Sign In Required