The CVE-2025-60151 vulnerability is an Open Redirect issue affecting the CRM Perks WP Gravity Forms HubSpot plugin for WordPress, specifically versions up to and including 1.2.5. Open Redirect vulnerabilities occur when an application accepts untrusted input that causes it to redirect users to external URLs without proper validation. In this case, the plugin allows attackers to craft URLs that redirect users to malicious sites, facilitating phishing attacks by exploiting user trust in the legitimate domain. The vulnerability requires no authentication (AV:N), has low attack complexity (AC:L), but does require user interaction (UI:R) since the victim must click a crafted link. The scope is changed (S:C) because the vulnerability can affect users beyond the immediate application context. The impact is limited to confidentiality (C:L) as attackers can trick users into divulging sensitive information on phishing sites, but there is no direct impact on integrity or availability. The vulnerability was reserved in late September 2025 and published in October 2025, with no known exploits in the wild at the time of reporting. The plugin integrates WordPress Gravity Forms with HubSpot CRM, commonly used for lead capture and marketing automation, making it a valuable target for attackers seeking to harvest credentials or personal data via phishing.

For European organizations, this vulnerability poses a significant risk primarily through phishing campaigns that leverage the trusted domain of affected websites. Organizations using the WP Gravity Forms HubSpot plugin expose their users to malicious redirects that can lead to credential theft, fraud, or malware delivery. This can damage brand reputation, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is compromised), and cause financial losses. Since the vulnerability does not directly affect system integrity or availability, the impact is more on user trust and data confidentiality. However, phishing attacks can be a gateway to broader compromises if attackers gain credentials or deploy secondary payloads. Organizations with customer-facing forms integrated with HubSpot are particularly vulnerable, as these forms are often used to collect sensitive customer data. The medium CVSS score reflects the moderate but non-negligible risk, emphasizing the need for timely mitigation.

1. Monitor for and apply updates or patches from CRM Perks as soon as they become available to address this vulnerability. 2. In the absence of an official patch, implement server-side URL validation and sanitization to ensure that redirect URLs are restricted to trusted domains only. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious redirect patterns associated with this vulnerability. 4. Educate end-users and employees about the risks of phishing and encourage verification of URLs before clicking, especially those originating from forms or emails. 5. Conduct regular security assessments and penetration testing focused on web forms and redirect mechanisms. 6. Consider temporarily disabling the WP Gravity Forms HubSpot integration if patching is delayed and risk is deemed high. 7. Use Content Security Policy (CSP) headers to restrict the domains to which the browser can navigate, mitigating the impact of open redirects. 8. Monitor logs for unusual redirect activity or spikes in user complaints related to phishing attempts.