CVE-2025-58006 MEDIUM

CVE-2025-58006: WordPress WP Gravity Forms Keap/Infusionsoft plugin <= 1.2.6 - Open Redirection vulnerability

Vendor Crm Perks

Product WP Gravity Forms Keap/Infusionsoft

Weakness CWE-601 · Open redirect

Published September 22, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

4.7/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Phishing.This issue affects WP Gravity Forms Keap/Infusionsoft: from n/a through <= 1.2.6.

Explanation of Vulnerability in Simple Terms

02Summary

The WP Gravity Forms Keap/Infusionsoft plugin through version 1.2.6 contains an open redirect vulnerability. An attacker can craft a malicious link that redirects users to an external website after they interact with the plugin. This can be used to phish credentials or distribute malware. The vulnerability requires user interaction and affects the scope beyond the plugin itself.

What an attacker can do

03Attacker Capabilities

Redirect site visitors to a malicious external website via a crafted link.

Potential impact on your site

04Site Impact

Users can be redirected away from your site to phishing or malware sites, damaging trust.

Conditions required to exploit

05Prerequisites

Victim must click a malicious link; no authentication required.

Key dates

06Disclosure timeline

September 22, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-58006 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/601.html

Related vulnerabilities

Identifiers

CVE CVE-2025-58006

CWE CWE-601

CVSS 4.7 / MEDIUM

Affected versions