CVE-2026-4281 MEDIUM

CVE-2026-4281: FormLift for Infusionsoft Web Forms <= 7.5.21 - Missing Authorization to Unauthenticated Infusionsoft Connection Hijack via OAuth Connection Flow

Vendor Trainingbusinesspros
Product FormLift for Infusionsoft Web Forms
Weakness CWE-862 · Missing authorization
Published March 26, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.

Explanation of Vulnerability in Simple Terms

02Summary

FormLift for Infusionsoft Web Forms versions 7.5.21 and earlier lack proper authorization checks. An attacker can modify data without authentication by sending direct requests to the application. The vulnerability affects the integrity of stored information but does not expose sensitive data or disrupt availability.

What an attacker can do

03Attacker Capabilities

Modify or alter data in the application without logging in.

Potential impact on your site

04Site Impact

Attackers can change form submissions, user data, or configuration without permission.

Conditions required to exploit

05Prerequisites

Network access to the application; no authentication or user interaction required.

Key dates

06Disclosure timeline

March 26, 2026 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE

CVE-2025-9954 Acquia DAM - Moderately critical - Access bypass, Information Disclosure - SA-CONTRIB-2025-105 CVE-2026-32374 WordPress The Minimal theme <= 1.2.9 - Broken Access Control vulnerability CVE-2024-32779 WordPress Vision – Image Map Builder plugin <= 1.7.1 - Broken Access Control vulnerability CVE-2026-41014 Apache Airflow: per-DAG RBAC bypass on /ui/partitioned_dag_runs endpoints CVE-2025-62106 WordPress WP-CRM System plugin <= 3.4.5 - Broken Access Control vulnerability