The CVE-2025-30954 vulnerability is an Open Redirect issue (CWE-601) found in the CRM Perks WP Gravity Forms Constant Contact Plugin, a WordPress plugin designed to integrate Gravity Forms with Constant Contact email marketing services. This vulnerability allows an attacker to craft malicious URLs that appear to originate from a trusted domain but redirect users to untrusted, potentially malicious websites. The affected versions include all versions up to and including 1.1.0, with no specific lower bound version identified. The vulnerability is exploitable remotely without authentication (AV:N/PR:N), requiring only user interaction (UI:R), such as clicking a crafted link. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component, potentially impacting user trust and security on the affected website. The impact on confidentiality is low (C:L), as the vulnerability does not directly expose sensitive data, and there is no impact on integrity or availability. However, the primary risk is enabling phishing attacks by redirecting users to malicious sites that can harvest credentials or deliver malware. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on June 6, 2025, and assigned a CVSS v3.1 score of 4.7, categorized as medium severity. This vulnerability is significant because WordPress sites using this plugin may inadvertently facilitate phishing campaigns, undermining user trust and potentially leading to credential theft or malware infections.

For European organizations, the impact of this vulnerability can be substantial, especially for businesses relying on WordPress sites with Gravity Forms and Constant Contact integration for customer engagement and marketing. The open redirect can be exploited by attackers to conduct phishing attacks targeting employees, customers, or partners by redirecting them from legitimate URLs to malicious sites. This can lead to credential compromise, unauthorized access to corporate resources, and potential data breaches. Additionally, organizations may suffer reputational damage and loss of customer trust if their websites are used as vectors for phishing. Given the GDPR regulatory environment in Europe, any resulting data breach or compromise could also lead to significant compliance and legal consequences. The vulnerability does not directly compromise system integrity or availability but poses a notable risk to confidentiality through social engineering and phishing vectors. The medium severity rating reflects the moderate but non-negligible risk posed by this vulnerability.

To mitigate this vulnerability, European organizations should: 1) Immediately audit their WordPress installations to identify the presence and version of the CRM Perks WP Gravity Forms Constant Contact Plugin. 2) If the plugin is installed and affected (version ≤ 1.1.0), disable or remove it until a security patch is released. 3) Monitor official vendor channels and security advisories for patches or updates addressing CVE-2025-30954 and apply them promptly. 4) Implement web application firewall (WAF) rules to detect and block suspicious URL redirection patterns associated with this vulnerability. 5) Educate users and employees about phishing risks, emphasizing caution when clicking links, even from trusted domains. 6) Employ URL filtering and email security solutions to detect and quarantine phishing attempts leveraging this vulnerability. 7) Review and harden website redirect logic to ensure only trusted URLs are allowed, potentially by customizing or replacing the vulnerable plugin with more secure alternatives. 8) Conduct regular security assessments and penetration testing focusing on open redirect and phishing vectors to proactively identify and remediate similar issues.