CVE-2025-67585 MEDIUM

CVE-2025-67585: WordPress Flexmls® IDX plugin <= 3.15.7 - Open Redirection vulnerability

Vendor Flexmls
Product Flexmls® IDX
Weakness CWE-601 · Open redirect
Published December 9, 2025
Last update April 28, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing.This issue affects Flexmls® IDX: from n/a through <= 3.15.7.

Explanation of Vulnerability in Simple Terms

02Summary

Flexmls IDX versions 3.15.7 and earlier contain an open redirect vulnerability. An attacker can craft a malicious link that redirects users to an external website after they interact with the application. The vulnerability requires user interaction and has limited confidentiality impact. Update to a version newer than 3.15.7 to remediate.

What an attacker can do

03Attacker Capabilities

Redirect users to a malicious external website via a crafted link.

Potential impact on your site

04Site Impact

Users may be redirected away from your site to phishing or malware sites if they click attacker-controlled links.

Conditions required to exploit

05Prerequisites

User must click a malicious link or visit a page containing the redirect.

Key dates

06Disclosure timeline

December 9, 2025 CVE published
April 28, 2026 Record updated