CVE-2026-4281 - Vulnerability Details

- FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow

Description

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.

Published: 2026-03-26

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The FormLift for Infusionsoft Web Forms plugin contains missing authorization checks in its connect() and listen_for_tokens() methods, which are executed on every page load. Because the plugin generates and leaks an OAuth temporary password without verifying the requesting user, an attacker who can send unauthenticated HTTP requests can trigger the OAuth flow, capture that password, and then use it to write attacker‑controlled OAuth tokens and an app domain into WordPress options. This allows the attacker to redirect the plugin’s API calls to an attacker‑controlled server, effectively hijacking the site's Infusionsoft integration. The weakness is an instance of broken access control (CWE‑862) and results in unauthorized manipulation of third‑party API credentials, exposing the site to data theft or injection.

Affected Systems

WordPress sites that have installed the trainingbusinesspros FormLift for Infusionsoft Web Forms plugin in any version up to and including 7.5.21 are affected. The issue is confined to the plugin code; the core WordPress installation is not vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 5.3, indicating moderate severity. Because no EPSS score is available and the flaw is not listed in the CISA KEV catalog, the likelihood of exploitation cannot be precisely quantified; however, the attack path is simple—unauthenticated HTTP requests to the plugin’s endpoints are sufficient—and the impact on the integration is significant. Given these factors, the risk is considered high relative to the vulnerability’s moderate severity rating, as the hijacked API traffic can expose or corrupt sensitive business data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

trainingbusinesspros

FormLift for Infusionsoft Web Forms

unaffected

Version	Status	Constraints
`0`	affected	≤ 7.5.21

No data.

Vendor Product Confidence Versions

Trainingbusinesspros

Formlift For Infusionsoft Web Forms

100%

Version	Status	Scheme	Platform
`[0,7.5.21]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the FormLift for Infusionsoft Web Forms plugin to a version newer than 7.5.21.
If an upgrade cannot be applied immediately, disable or delete the plugin to prevent the vulnerable code from executing.
Monitor the WordPress options table and OAuth token settings for unexpected changes.
Review the Infusionsoft account logs for unauthorized API access or connections to unfamiliar domains.
Enforce least‑privilege user roles and restrict plugin installation to trusted administrators.

Generated by OpenCVE AI on March 26, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00246.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L21
https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L46
https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L62
https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L64
https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L21
https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L46
https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L62
https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L64
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490212%40formlift&new=3490212%40formlift&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/a65cc674-a0ea-46b9-b609-b184e1f7ca8e?source=cve

History

Thu, 26 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Trainingbusinesspros Trainingbusinesspros formlift For Infusionsoft Web Forms Wordpress Wordpress wordpress
Vendors & Products		Trainingbusinesspros Trainingbusinesspros formlift For Infusionsoft Web Forms Wordpress Wordpress wordpress

Thu, 26 Mar 2026 04:30:00 +0000

Type	Values Removed	Values Added
Description		The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.
Title		FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L21 https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L46 https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L62 https://plugins.trac.wordpress.org/browser/formlift/tags/7.5.21/modules/api/infusionsoft-manager.php#L64 https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L21 https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L46 https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L62 https://plugins.trac.wordpress.org/browser/formlift/trunk/modules/api/infusionsoft-manager.php#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3490212%40formlift&new=3490212%40formlift&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/a65cc674-a0ea-46b9-b609-b184e1f7ca8e?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Trainingbusinesspros Formlift For Infusionsoft Web Forms

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-26T03:37:28.487Z

Updated: 2026-04-08T17:13:28.717Z

Reserved: 2026-03-16T15:52:40.406Z

Link: CVE-2026-4281

Vulnrichment

Updated: 2026-03-26T14:11:53.861Z

NVD

Status : Deferred

Published: 2026-03-26T05:16:40.107

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-4281

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T12:08:38Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object