CVE-2025-60151 is an Open Redirect vulnerability identified in the CRM Perks WP Gravity Forms HubSpot plugin, affecting versions up to and including 1.2.5. This plugin integrates WordPress Gravity Forms with HubSpot CRM, enabling data synchronization and marketing automation. The vulnerability arises because the plugin improperly validates URLs used for redirection, allowing attackers to craft malicious URLs that redirect users to arbitrary, untrusted external websites. This behavior can be exploited in phishing campaigns, where users are tricked into clicking on seemingly legitimate links that lead to malicious sites designed to steal credentials or deliver malware. The vulnerability requires no authentication (AV:N) and has low attack complexity (AC:L), but does require user interaction (UI:R) to follow the malicious link. The scope is changed (S:C) because the redirection can lead users outside the trusted domain, impacting confidentiality (C:L) but not integrity or availability. No known exploits are currently reported in the wild, and no official patches have been linked yet. The vulnerability was reserved on 2025-09-25 and published on 2025-10-22. Given the widespread use of WordPress and HubSpot integrations, this vulnerability poses a moderate risk to organizations relying on these technologies for customer engagement and data collection.

For European organizations, this vulnerability primarily threatens the confidentiality of user data by facilitating phishing attacks that can lead to credential theft or unauthorized access. Organizations using the affected plugin in customer-facing environments risk their users being redirected to malicious sites, potentially damaging brand reputation and customer trust. While the vulnerability does not directly compromise system integrity or availability, successful phishing can lead to broader security incidents, including account takeover or data breaches. The impact is more pronounced for sectors with high customer interaction via web forms, such as e-commerce, financial services, and marketing agencies. The medium CVSS score reflects a moderate risk, but the ease of exploitation and potential for social engineering elevate the threat in practice. European GDPR regulations also impose strict requirements on protecting user data, so exploitation could lead to regulatory penalties if user data is compromised.

Organizations should monitor for updates from CRM Perks and apply patches promptly once available to fix the Open Redirect vulnerability. In the interim, implement strict URL validation and sanitization on all form inputs and redirection parameters to ensure only trusted domains are allowed. Employ web application firewalls (WAFs) with rules to detect and block suspicious redirection attempts. Educate users and staff about phishing risks, emphasizing caution when clicking on links, especially those received via email or external sources. Review and limit the use of third-party plugins, ensuring only necessary and actively maintained components are deployed. Conduct regular security assessments and penetration testing focused on web application flows involving redirects. Additionally, consider implementing Content Security Policy (CSP) headers to restrict navigation to trusted domains and use multi-factor authentication to reduce the impact of credential compromise.