Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.20.
Published: 2025-06-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress FormLift for Infusionsoft Web Forms plugin up to version 7.5.20 contains an improper neutralization of user input when rendering web pages, resulting in a reflected XSS vulnerability. An attacker can supply malicious script in query parameters or form fields that is echoed back in the response, enabling arbitrary JavaScript execution in the victim’s browser. This could allow data theft, session hijacking, or phishing attacks against users who visit the affected pages.

Affected Systems

Adrian Tobey’s FormLift for Infusionsoft Web Forms plugin for WordPress is affected. The vulnerability applies to all releases from the earliest available version up to and including 7.5.20.

Risk and Exploitability

CVSS score 7.1 ranks this issue as high severity. The EPSS score is below 1%, indicating a very low probability of widespread exploitation. It is not listed in CISA’s KEV catalog, suggesting no confirmed large‑scale attacks yet. The likely attack vector is via the publicly accessible web forms that the plugin generates, meaning any Internet‑connected WordPress site running the vulnerable plugin can be targeted without privileges.

Generated by OpenCVE AI on April 30, 2026 at 10:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FormLift for Infusionsoft Web Forms plugin to version 7.5.21 or later.
  • If the plugin cannot be updated immediately, disable the FormLift plugin to remove the vulnerable functionality.
  • As a temporary workaround, block or remove the affected forms from publicly accessible pages until a patch is applied.

Generated by OpenCVE AI on April 30, 2026 at 10:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19284 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Reflected XSS. This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.20.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Reflected XSS. This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.20. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.20.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 12:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Reflected XSS. This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.20.
Title WordPress FormLift for Infusionsoft Web Forms plugin <= 7.5.20 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:48.406Z

Reserved: 2025-05-07T10:45:13.130Z

Link: CVE-2025-47654

cve-icon Vulnrichment

Updated: 2025-06-27T13:59:15.346Z

cve-icon NVD

Status : Deferred

Published: 2025-06-27T12:15:37.207

Modified: 2026-04-23T15:30:41.183

Link: CVE-2025-47654

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T10:30:34Z

Weaknesses