CVE-2026-4281
Missing Authorization in FormLift Infusionsoft Plugin Enables OAuth Hijack
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| formlift | formlift | to 7.5.21 (inc) |
| formlift | formlift | 7.5.22 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the FormLift for Infusionsoft Web Forms WordPress plugin (up to version 7.5.21) is due to missing authorization checks in the OAuth connection process. Specifically, the connect() method generates an OAuth connection password and leaks it in a redirect header without verifying if the user is authenticated or authorized. Additionally, the listen_for_tokens() method accepts OAuth tokens and app domain updates without proper user authentication, allowing unauthenticated attackers to hijack the site's Infusionsoft connection.
Attackers can trigger the OAuth flow to obtain a temporary password and then use it to set arbitrary OAuth tokens and app domain values. This effectively redirects the plugin's API communication to an attacker-controlled server, compromising the integrity of the OAuth integration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the FormLift for Infusionsoft Web Forms plugin allows unauthenticated attackers to hijack the site's Infusionsoft connection by manipulating OAuth tokens and redirecting API communication to attacker-controlled servers.
This unauthorized access and manipulation of OAuth tokens could lead to unauthorized access to user data or modification of contact information, which may result in violations of data protection regulations such as GDPR or HIPAA that require strict controls over personal data access and integrity.
Specifically, since the vulnerability allows attackers to set arbitrary OAuth tokens and app domains without proper authorization, it undermines the confidentiality and integrity of data exchanged via the plugin, potentially exposing sensitive personal information or disrupting data flows.
Therefore, organizations using affected versions of this plugin might face compliance risks related to unauthorized data access, data integrity breaches, and failure to implement adequate access controls as mandated by standards like GDPR and HIPAA.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to hijack the Infusionsoft OAuth connection of a WordPress site using the FormLift plugin. By exploiting the missing authorization checks, attackers can redirect API communication to their own servers by setting arbitrary OAuth tokens and app domain values.
The impact includes unauthorized control over the site's Infusionsoft integration, which could lead to manipulation of contact data, unauthorized access to marketing automation features, and potential data leakage or misuse.
The CVSS v3.1 base score of 5.3 indicates a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, no confidentiality impact, but integrity impact (data can be altered) and no availability impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized OAuth token handling in the FormLift WordPress plugin, specifically in the methods connect() and listen_for_tokens() within the infusionsoft-manager.php file. Detection involves monitoring for suspicious OAuth connection attempts or unexpected redirects to the OAuth URI (https://formlift.net/oauth/) containing the temporary password parameter.
On the system, you can check for unusual HTTP requests or redirects involving the OAuth flow parameters, especially those that include the transient password 'formlift_auth_pass' or the 'OauthClientPass' parameter.
Suggested commands to detect potential exploitation attempts include:
- Use web server access logs to search for requests to the OAuth URI or plugin endpoints with suspicious parameters, for example:
- grep -i 'formlift_auth_pass' /var/log/apache2/access.log
- grep -i 'OauthClientPass' /var/log/apache2/access.log
- Monitor WordPress option values related to the plugin for unexpected changes, such as the app domain or OAuth tokens, by querying the WordPress database:
- mysql -u [user] -p -e "SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%formlift%' OR option_name LIKE '%infusionsoft%';"
Additionally, monitoring for unauthorized POST requests to the plugin endpoints that trigger OAuth activation or token listening without proper authentication can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, you should update the FormLift WordPress plugin to version 7.5.22 or later, where the issue has been fixed by adding strict permission checks and nonce verification to the OAuth activation and token handling processes.
If updating immediately is not possible, restrict access to the plugin's OAuth-related endpoints by limiting access to authenticated users with the 'manage_options' capability, and monitor for suspicious OAuth token activity.
Additional mitigation steps include:
- Apply strict user authentication and authorization checks before allowing OAuth connection or token updates.
- Implement nonce verification on all POST requests related to OAuth activation and token handling.
- Regularly audit and monitor WordPress options related to the FormLift plugin for unauthorized changes.
- Consider temporarily disabling the FormLift plugin if immediate patching is not feasible and the risk is high.