Skip to main content

WordPress CVE-2026-4281

| EUVDEUVD-2026-16100 MEDIUM
Missing Authorization (CWE-862)
2026-03-26 Wordfence
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 26, 2026 - 04:30 euvd
EUVD-2026-16100
Analysis Generated
Mar 26, 2026 - 04:30 vuln.today
CVE Published
Mar 26, 2026 - 03:37 nvd
MEDIUM 5.3

DescriptionCVE.org

The FormLift for Infusionsoft Web Forms plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 7.5.21. This is due to missing capability checks on the connect() and listen_for_tokens() methods of the FormLift_Infusionsoft_Manager class, both of which are hooked to 'plugins_loaded' and execute on every page load. The connect() function generates an OAuth connection password and leaks it in the redirect Location header without verifying the requesting user is authenticated or authorized. The listen_for_tokens() function only validates the temporary password but performs no user authentication before calling update_option() to save attacker-controlled OAuth tokens and app domain. This makes it possible for unauthenticated attackers to hijack the site's Infusionsoft connection by first triggering the OAuth flow to obtain the temporary password, then using that password to set arbitrary OAuth tokens and app domain via update_option(), effectively redirecting the plugin's API communication to an attacker-controlled server.

AnalysisAI

The FormLift for Infusionsoft Web Forms WordPress plugin contains a missing authorization vulnerability (CWE-862) that allows unauthenticated attackers to hijack the site's Infusionsoft OAuth connection. Affected versions through 7.5.21 fail to validate user authentication on critical OAuth handler methods, enabling attackers to intercept temporary OAuth credentials and inject arbitrary OAuth tokens and app domains via the update_option() function. This is a network-accessible, low-complexity vulnerability with no required privileges; while the CVSS score is moderate (5.3), the real-world impact is integrity compromise of the CRM integration layer, potentially affecting customer data flows and automation.

Technical ContextAI

The FormLift for Infusionsoft Web Forms plugin (cpe:2.3:a:trainingbusinesspros:formlift_for_infusionsoft_web_forms:*:*:*:*:*:*:*:*) integrates WordPress sites with Infusionsoft's CRM platform via OAuth 2.0 authentication. The vulnerability exists in the FormLift_Infusionsoft_Manager class, specifically in two methods: connect() and listen_for_tokens(), both hooked to the 'plugins_loaded' action which executes on every page load. The connect() method initiates OAuth flow and exposes a temporary password in the HTTP Location redirect header without verifying the requester's identity. The listen_for_tokens() method accepts and persists OAuth tokens via WordPress's update_option() function with only temporary password validation-no user capability checks. The root cause falls under CWE-862 (Missing Authorization), a failure to implement access control on sensitive operations. This allows an attacker to manipulate WordPress site options that control Infusionsoft API routing and credentials, potentially redirecting API calls to attacker-controlled infrastructure.

RemediationAI

Upgrade the FormLift for Infusionsoft Web Forms plugin to version 7.5.22 or later, which should include capability checks (current_user_can()) on the connect() and listen_for_tokens() methods. Check the official plugin repository or vendor advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/a65cc674-a0ea-46b9-b609-b184e1f7ca8e for confirmation of the patched version. Until patching is possible, implement compensating controls: (1) restrict WordPress site access via IP whitelist or Web Application Firewall rules to block unauthenticated requests to the 'plugins_loaded' action if possible; (2) implement nonce verification and additional CSRF tokens on OAuth-related endpoints; (3) audit WordPress site options tables for unauthorized modifications to Infusionsoft connection settings (search for options prefixed with 'infusionsoft' or 'formlift'); (4) monitor Infusionsoft API logs for unexpected API calls from unknown IP ranges. Additionally, consider temporarily disabling the FormLift plugin until a patch is available if the Infusionsoft integration is not critical to operations.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-4281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy