FormLift for Infusionsoft Web Forms Missing Authorization Vulnerability Allowing Unauthenticated Connection Hijack

A vulnerability exists in the FormLift for Infusionsoft Web Forms WordPress plugin, specifically in versions through 7.5.21. The issue stems from a lack of proper authorization checks in the 'connect()' and 'listen_for_tokens()' methods of the FormLift_Infusionsoft_Manager class. These methods are executed on every page load, creating an opportunity for exploitation. The 'connect()' method generates an OAuth connection password and inadvertently exposes it in the redirect Location header without confirming the user's authentication or authorization. Meanwhile, the 'listen_for_tokens()' method validates the temporary password but fails to authenticate the user before using 'update_option()' to store OAuth tokens and app domain, controlled by the attacker. This flaw enables unauthenticated attackers to take over the site's Infusionsoft connection by initiating the OAuth process to acquire the temporary password, and then using that password to inject arbitrary OAuth tokens and app domain through 'update_option()', effectively redirecting the plugin's API interactions to an attacker-controlled server.

Impact

Exploitation of this vulnerability allows for unauthorized hijacking of the Infusionsoft connection on the affected WordPress site, by manipulating OAuth tokens and redirecting API communications to an attacker-controlled server.

Reproduction

The vulnerability can be reproduced by sending a request to the 'connect()' method without proper authentication or authorization. This can be done by an unauthenticated user, who can then intercept the OAuth connection password that is leaked in the redirect header. Once the password is obtained, it can be used with the 'listen_for_tokens()' method to set arbitrary OAuth tokens and app domain, hijacking the Infusionsoft connection.

Remediation

Users are advised to update the FormLift for Infusionsoft Web Forms plugin to version 7.5.22 or later.