Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for FormLift for Infusionsoft Web Forms by Adrian Tobey

    CVE-2025-47654 (GCVE-0-2025-47654)

    Vulnerability from nvd – Published: 2025-06-27 11:52 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress FormLift for Infusionsoft Web Forms plugin <= 7.5.20 - Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.20.
    Severity
    7.1 (High)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adrian Tobey FormLift for Infusionsoft Web Forms Affected: 0 , ≤ 7.5.20 (custom)
    		Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    lucky_buddy | Patchstack Bug Bounty Program
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-27T13:59:11.652742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-27T13:59:18.142Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "formlift",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "Adrian Tobey",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.21",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.20",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "lucky_buddy | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:40:23.228Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.\u003cp\u003eThis issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.20.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.20."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:12:48.406Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/formlift/vulnerability/wordpress-formlift-for-infusionsoft-web-forms-plugin-7-5-19-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress FormLift for Infusionsoft Web Forms plugin \u003c= 7.5.20 - Reflected Cross Site Scripting (XSS) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-47654",
    "datePublished": "2025-06-27T11:52:33.236Z",
    "dateReserved": "2025-05-07T10:45:13.130Z",
    "dateUpdated": "2026-04-28T16:12:48.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2025-31434 (GCVE-0-2025-31434)

    Vulnerability from nvd – Published: 2025-03-28 11:54 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress FormLift for Infusionsoft Web Forms plugin <= 7.5.19 - Cross Site Scripting (XSS) Vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.19.
    Severity
    6.5 (Medium)
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adrian Tobey FormLift for Infusionsoft Web Forms Affected: 0 , ≤ 7.5.19 (custom)
    		Create a notification for this product.
    Date Public
    2026-04-01 16:37
    Credits
    Muhammad Yudha - DJ | Patchstack Bug Bounty Program
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31434",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T12:33:12.367455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T12:33:56.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "formlift",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "Adrian Tobey",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.20",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:37:04.899Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.\u003cp\u003eThis issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.19.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.19."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:12:07.104Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/formlift/vulnerability/wordpress-formlift-for-infusionsoft-web-forms-7-5-19-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress FormLift for Infusionsoft Web Forms plugin \u003c= 7.5.19 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-31434",
    "datePublished": "2025-03-28T11:54:20.883Z",
    "dateReserved": "2025-03-28T11:00:15.485Z",
    "dateUpdated": "2026-04-28T16:12:07.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2024-38773 (GCVE-0-2024-38773)

    Vulnerability from nvd – Published: 2024-07-22 10:07 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress formlift plugin <= 7.5.17 - Unauthenticated Blind SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17.
    Severity
    9.3 (Critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adrian Tobey FormLift for Infusionsoft Web Forms Affected: n/a , ≤ 7.5.17 (custom)
    		Create a notification for this product.
    adriantobey formlift_for_infusionsoft_web_forms Affected: 0 , ≤ 7.5.17 (custom)
        cpe:2.3:a:adriantobey:formlift_for_infusionsoft_web_forms:*:*:*:*:*:*:*:*
    		 Create a notification for this product.
    Credits
    Asif Wani (Patchstack Alliance)
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:adriantobey:formlift_for_infusionsoft_web_forms:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "formlift_for_infusionsoft_web_forms",
            "vendor": "adriantobey",
            "versions": [
              {
                "lessThanOrEqual": "7.5.17",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38773",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-22T15:30:06.569879Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-22T15:31:37.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:19:20.408Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/formlift/wordpress-formlift-plugin-7-5-17-unauthenticated-blind-sql-injection-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "formlift",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "Adrian Tobey",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.18",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.17",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Asif Wani (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.\u003cp\u003eThis issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-7",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-7 Blind SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:06.682Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/formlift/wordpress-formlift-plugin-7-5-17-unauthenticated-blind-sql-injection-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to 7.5.18 or a higher version."
            }
          ],
          "value": "Update to 7.5.18 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress formlift plugin \u003c= 7.5.17 - Unauthenticated Blind SQL Injection vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-38773",
    "datePublished": "2024-07-22T10:07:53.644Z",
    "dateReserved": "2024-06-19T12:34:40.590Z",
    "dateUpdated": "2026-04-28T16:10:06.682Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2025-47654 (GCVE-0-2025-47654)

    Vulnerability from cvelistv5 – Published: 2025-06-27 11:52 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress FormLift for Infusionsoft Web Forms plugin <= 7.5.20 - Reflected Cross Site Scripting (XSS) vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.20.
    Severity
    7.1 (High)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adrian Tobey FormLift for Infusionsoft Web Forms Affected: 0 , ≤ 7.5.20 (custom)
    		Create a notification for this product.
    Date Public
    2026-04-01 16:40
    Credits
    lucky_buddy | Patchstack Bug Bounty Program
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-47654",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-27T13:59:11.652742Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-27T13:59:18.142Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "formlift",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "Adrian Tobey",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.21",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.20",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "lucky_buddy | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:40:23.228Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.\u003cp\u003eThis issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.20.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Reflected XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.20."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-591",
          "descriptions": [
            {
              "lang": "en",
              "value": "Reflected XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:12:48.406Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/formlift/vulnerability/wordpress-formlift-for-infusionsoft-web-forms-plugin-7-5-19-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress FormLift for Infusionsoft Web Forms plugin \u003c= 7.5.20 - Reflected Cross Site Scripting (XSS) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-47654",
    "datePublished": "2025-06-27T11:52:33.236Z",
    "dateReserved": "2025-05-07T10:45:13.130Z",
    "dateUpdated": "2026-04-28T16:12:48.406Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2025-31434 (GCVE-0-2025-31434)

    Vulnerability from cvelistv5 – Published: 2025-03-28 11:54 – Updated: 2026-04-28 16:12
    VLAI
    Title
    WordPress FormLift for Infusionsoft Web Forms plugin <= 7.5.19 - Cross Site Scripting (XSS) Vulnerability
    Summary
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through <= 7.5.19.
    Severity
    6.5 (Medium)
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adrian Tobey FormLift for Infusionsoft Web Forms Affected: 0 , ≤ 7.5.19 (custom)
    		Create a notification for this product.
    Date Public
    2026-04-01 16:37
    Credits
    Muhammad Yudha - DJ | Patchstack Bug Bounty Program
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-31434",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-28T12:33:12.367455Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-28T12:33:56.690Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "formlift",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "Adrian Tobey",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.20",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.19",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Muhammad Yudha - DJ | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:37:04.899Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.\u003cp\u003eThis issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.19.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms formlift allows Stored XSS.This issue affects FormLift for Infusionsoft Web Forms: from n/a through \u003c= 7.5.19."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-592",
          "descriptions": [
            {
              "lang": "en",
              "value": "Stored XSS"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:12:07.104Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Plugin/formlift/vulnerability/wordpress-formlift-for-infusionsoft-web-forms-7-5-19-cross-site-scripting-xss-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress FormLift for Infusionsoft Web Forms plugin \u003c= 7.5.19 - Cross Site Scripting (XSS) Vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2025-31434",
    "datePublished": "2025-03-28T11:54:20.883Z",
    "dateReserved": "2025-03-28T11:00:15.485Z",
    "dateUpdated": "2026-04-28T16:12:07.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2024-38773 (GCVE-0-2024-38773)

    Vulnerability from cvelistv5 – Published: 2024-07-22 10:07 – Updated: 2026-04-28 16:10
    VLAI
    Title
    WordPress formlift plugin <= 7.5.17 - Unauthenticated Blind SQL Injection vulnerability
    Summary
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17.
    Severity
    9.3 (Critical)
    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    References
    Impacted products
    Vendor Product Version
    Adrian Tobey FormLift for Infusionsoft Web Forms Affected: n/a , ≤ 7.5.17 (custom)
    		Create a notification for this product.
    adriantobey formlift_for_infusionsoft_web_forms Affected: 0 , ≤ 7.5.17 (custom)
        cpe:2.3:a:adriantobey:formlift_for_infusionsoft_web_forms:*:*:*:*:*:*:*:*
    		 Create a notification for this product.
    Credits
    Asif Wani (Patchstack Alliance)
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:adriantobey:formlift_for_infusionsoft_web_forms:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "formlift_for_infusionsoft_web_forms",
            "vendor": "adriantobey",
            "versions": [
              {
                "lessThanOrEqual": "7.5.17",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-38773",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-07-22T15:30:06.569879Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-22T15:31:37.977Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T04:19:20.408Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/formlift/wordpress-formlift-plugin-7-5-17-unauthenticated-blind-sql-injection-vulnerability?_s_id=cve"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "formlift",
          "product": "FormLift for Infusionsoft Web Forms",
          "vendor": "Adrian Tobey",
          "versions": [
            {
              "changes": [
                {
                  "at": "7.5.18",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "7.5.17",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Asif Wani (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.\u003cp\u003eThis issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17.\u003c/p\u003e"
            }
          ],
          "value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Adrian Tobey FormLift for Infusionsoft Web Forms allows Blind SQL Injection.This issue affects FormLift for Infusionsoft Web Forms: from n/a through 7.5.17."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-7",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-7 Blind SQL Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-89",
              "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:10:06.682Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/formlift/wordpress-formlift-plugin-7-5-17-unauthenticated-blind-sql-injection-vulnerability?_s_id=cve"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Update to 7.5.18 or a higher version."
            }
          ],
          "value": "Update to 7.5.18 or a higher version."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress formlift plugin \u003c= 7.5.17 - Unauthenticated Blind SQL Injection vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-38773",
    "datePublished": "2024-07-22T10:07:53.644Z",
    "dateReserved": "2024-06-19T12:34:40.590Z",
    "dateUpdated": "2026-04-28T16:10:06.682Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}