The vulnerability identified as CVE-2025-30781 affects the WPFactory Scheduled & Automatic Order Status Controller plugin for WooCommerce, specifically versions up to and including 3.7.1. This vulnerability is classified as an Open Redirect issue, where the plugin improperly handles URL redirection parameters, allowing an attacker to redirect users to arbitrary, untrusted external websites. The flaw arises because the plugin fails to validate or sanitize redirect URLs, enabling malicious actors to craft URLs that appear legitimate but lead victims to phishing sites or other malicious destinations. This can be exploited by sending specially crafted links to users, who upon clicking, are redirected without warning. The vulnerability does not require authentication, increasing its risk profile, but does require user interaction to trigger. Although no known exploits have been reported in the wild to date, the potential for phishing attacks leveraging this vulnerability is significant, especially given the widespread use of WooCommerce in e-commerce. The vulnerability primarily threatens user confidentiality and the integrity of user sessions by facilitating social engineering attacks, but it does not directly impact the availability or core functionality of the affected systems. The lack of a CVSS score indicates this is a newly published issue, with Patchstack as the assigner. The vulnerability was reserved on March 26, 2025, and published on March 27, 2025, with no current patch links available, indicating that mitigation may require manual intervention until an official update is released.

This Open Redirect vulnerability can have serious consequences for organizations operating WooCommerce stores with the affected plugin. Attackers can exploit it to conduct phishing campaigns by redirecting unsuspecting users to malicious websites designed to steal credentials, distribute malware, or perform other fraudulent activities. This undermines customer trust and can lead to reputational damage, financial loss, and potential regulatory penalties related to data protection. The vulnerability affects the confidentiality and integrity of user interactions but does not directly compromise the server or database. However, successful phishing attacks facilitated by this vulnerability can lead to broader security breaches if attackers obtain user credentials or install malware. The ease of exploitation (no authentication required) and the widespread use of WooCommerce globally amplify the risk. Organizations may also face increased support costs and customer churn if users fall victim to phishing attacks linked to their sites. The threat is particularly impactful for e-commerce businesses relying on customer trust and secure transaction processing.

Until an official patch is released, organizations should implement the following specific mitigations: 1) Disable or remove the WPFactory Scheduled & Automatic Order Status Controller plugin if it is not critical to business operations. 2) If the plugin is essential, implement strict input validation on redirect parameters by modifying the plugin code or using web application firewalls (WAFs) to block suspicious redirect URLs. 3) Employ URL whitelisting to ensure redirects only point to trusted internal domains. 4) Educate users and staff about phishing risks and encourage vigilance when clicking on links, especially those related to order status or WooCommerce notifications. 5) Monitor web server logs for unusual redirect patterns or spikes in traffic to external domains. 6) Keep WooCommerce and all plugins updated regularly, and subscribe to vendor security advisories for timely patch information. 7) Consider deploying Content Security Policy (CSP) headers to restrict navigation to trusted domains. These measures reduce the attack surface and mitigate the risk of exploitation while awaiting an official patch.