The vulnerability identified as CVE-2025-60151 is an Open Redirect issue in the WP Gravity Forms HubSpot plugin developed by CRM Perks, affecting all versions up to and including 1.2.5. Open Redirect vulnerabilities occur when an application accepts a user-controlled input that specifies a link to an external site and redirects users to that site without sufficient validation. In this case, the plugin fails to properly validate redirect URLs, allowing attackers to craft malicious links that appear legitimate but redirect victims to untrusted, potentially harmful websites. This can be exploited in phishing campaigns where attackers send links that seem to originate from a trusted source but lead to credential harvesting or malware delivery sites. The vulnerability does not require authentication, meaning any user or external attacker can exploit it by convincing users to click on a malicious link. Although no public exploits have been reported yet, the presence of this vulnerability in a widely used WordPress plugin integrated with HubSpot—a popular CRM platform—raises concerns about the potential scale of impact. The plugin is commonly used by organizations to streamline form data collection and CRM integration, making it a valuable target for attackers aiming to compromise user trust or steal sensitive information. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the nature of open redirects combined with phishing risks suggests a significant threat. The vulnerability was reserved on 2025-09-25 and published on 2025-10-22, indicating recent disclosure without an available patch at the time of this report.

For European organizations, this vulnerability can lead to successful phishing attacks that compromise user credentials, resulting in unauthorized access to sensitive customer or corporate data. The redirection to malicious sites can also facilitate malware infections, leading to further network compromise or data breaches. Organizations relying on WP Gravity Forms HubSpot for customer engagement and data collection may suffer reputational damage if users are tricked by phishing attempts leveraging this vulnerability. The impact extends to decreased trust in digital communications and potential regulatory consequences under GDPR if personal data is compromised. Since the vulnerability requires no authentication and only user interaction (clicking a link), the attack surface is broad, affecting employees, customers, and partners. The availability of the plugin in many European countries, combined with the widespread use of WordPress and HubSpot, increases the likelihood of targeted phishing campaigns exploiting this flaw. The absence of known exploits in the wild currently limits immediate risk but does not diminish the potential for rapid exploitation once malicious actors develop attack tools.

European organizations should prioritize monitoring for updates from CRM Perks and apply patches to WP Gravity Forms HubSpot as soon as they become available. Until a patch is released, administrators should consider disabling or restricting the plugin’s redirect functionality if possible. Implement strict URL validation and sanitization on all redirect parameters within the plugin or via custom code to prevent untrusted redirects. Employ web application firewalls (WAFs) with rules designed to detect and block suspicious redirect patterns. Conduct user awareness training focused on recognizing phishing attempts, emphasizing caution when clicking on links in emails or messages, especially those involving CRM or form-related communications. Review and audit all external links generated by the plugin to ensure they do not lead to untrusted domains. Additionally, organizations should monitor logs for unusual redirect activity and consider implementing multi-factor authentication (MFA) to mitigate the impact of credential theft resulting from phishing. Finally, coordinate with HubSpot and WordPress security teams to stay informed about further developments or mitigations.