The vulnerability CVE-2026-4281 affects the FormLift for Infusionsoft Web Forms plugin for WordPress, specifically all versions up to and including 7.5.21. The root cause is missing authorization checks in two critical methods: connect() and listen_for_tokens() within the FormLift_Infusionsoft_Manager class. Both methods are hooked to the 'plugins_loaded' action, causing them to execute on every page load regardless of user authentication status. The connect() method generates an OAuth connection password and exposes it in the HTTP redirect Location header without verifying if the requester is authenticated or authorized, effectively leaking sensitive credentials to unauthenticated users. Subsequently, the listen_for_tokens() method validates only the temporary password but does not perform any user authentication before calling WordPress's update_option() function. This allows an attacker to save arbitrary OAuth tokens and an attacker-controlled app domain into the plugin’s configuration. By doing so, the attacker can hijack the plugin’s OAuth connection and redirect API communications to a malicious server under their control. This compromises the integrity of the Infusionsoft integration, potentially allowing unauthorized manipulation of data or commands sent via the plugin. The vulnerability does not impact confidentiality or availability directly but poses a significant integrity risk. The CVSS 3.1 base score is 5.3 (medium severity), reflecting the lack of authentication required and ease of exploitation over the network without user interaction. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date.

This vulnerability allows unauthenticated attackers to hijack the OAuth connection between the WordPress site and Infusionsoft, a popular CRM and marketing automation platform. The attacker can redirect API communications to a server they control, potentially enabling manipulation or injection of fraudulent data, commands, or configurations within the Infusionsoft integration. This compromises the integrity of business processes relying on this plugin, such as lead capture, marketing automation, and customer data synchronization. While it does not directly expose sensitive data or cause denial of service, the ability to alter OAuth tokens and app domains can lead to unauthorized actions within the Infusionsoft environment, undermining trust and operational reliability. Organizations relying on this plugin for critical marketing or sales workflows may experience disruption or data corruption. The vulnerability is exploitable remotely without authentication or user interaction, increasing the risk of widespread exploitation if left unmitigated.

Immediate mitigation involves restricting access to the vulnerable plugin’s functionality by implementing web application firewall (WAF) rules that block unauthorized requests to endpoints triggering connect() and listen_for_tokens() methods. Administrators should monitor HTTP redirect headers for suspicious OAuth password leaks and audit update_option() calls related to OAuth tokens. Since no official patch is currently available, organizations should consider temporarily disabling the FormLift for Infusionsoft Web Forms plugin or replacing it with alternative solutions until a secure update is released. Developers maintaining the plugin must implement strict capability checks and user authentication verification before executing connect() and listen_for_tokens() methods. Additionally, OAuth token handling should be secured to prevent storage of attacker-controlled tokens. Regularly reviewing plugin updates from the vendor and applying patches promptly is critical. Organizations should also audit their Infusionsoft integrations for signs of unauthorized access or configuration changes.