CVE-2026-4281

Name of the Vulnerable Software and Affected Versions FormLift for Infusionsoft Web Forms plugin for WordPress versions through 7.5.21

Description The FormLift for Infusionsoft Web Forms plugin for WordPress is susceptible to a missing authorization issue. This is caused by a lack of capability checks in the connect() and listen for tokens() methods of the FormLift Infusionsoft Manager class. The connect() function reveals an OAuth connection password in the redirect Location header without verifying user authentication or authorization. The listen for tokens() function validates a temporary password but does not authenticate the user before using update option() to save attacker-controlled OAuth tokens and app domain. This allows unauthenticated attackers to take control of the site’s Infusionsoft connection by obtaining the temporary password through the OAuth flow and then using it to set arbitrary OAuth tokens and app domain via update option(), redirecting the plugin’s API communication to a server controlled by the attacker.

Recommendations Versions prior to 7.5.21 should be updated to a newer version.