CVE-2025-47654

The FormLift for Infusionsoft Web Forms plugin for WordPress suffers from a reflected Cross-Site Scripting (XSS) vulnerability in versions up to and including 7.5.20. The root cause is improper neutralization of user-supplied input during web page generation, meaning the plugin fails to sanitize or escape certain parameters before reflecting them in the response.

Exploitation requires user interaction — a privileged user (e.g., an administrator) must click a malicious link, visit a crafted page, or submit a form that the attacker controls. The attacker does not need prior authentication to deliver the payload, but the victim must perform the action that triggers the reflected script. This makes it a reflected XSS scenario rather than stored XSS.

Successful exploitation could allow an attacker to inject arbitrary HTML or JavaScript into the victim's browser session. This could be used to redirect users to malicious sites, display advertisements, steal cookies, or perform other actions in the context of the vulnerable site. The CVSS score of 7.1 indicates a high severity, and the vulnerability is considered moderately dangerous with potential for mass exploitation campaigns against thousands of websites [1].

Mitigation is available by updating the plugin to version 7.5.21 or later, which patches the vulnerability. For sites that cannot be updated immediately, Patchstack offers a mitigation rule to block attacks until the update is applied [1].