Fluent Forms Pro Add On Pack Missing Authorization Vulnerability in PayPal IPN Verification
Vulnerability
A vulnerability exists in the Fluent Forms Pro Add On Pack for WordPress, affecting all versions through 6.1.17. The issue arises from the PayPal IPN verification being disabled by default, allowing unauthenticated attackers to send fake PayPal IPN notifications to a public endpoint. This could falsely mark unpaid form submissions as 'paid' and activate post-payment processes such as sending emails, granting access, or delivering digital products.
Impact
Exploitation of this vulnerability could lead to unauthorized modifications of payment statuses, allowing attackers to falsely indicate that unpaid form submissions have been paid. This could trigger automated post-payment actions, such as sending confirmation emails, granting access to services or products, or delivering digital goods, based on the manipulated payment status.
Remediation
Users are advised to update the Fluent Forms Pro Add On Pack to version 6.1.18 or a newer patched version.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.