The vulnerability is an Open Redirect flaw that allows an attacker to manipulate redirection URLs processed by the FunnelKit Automations plugin. Because the plugin accepts arbitrary redirect targets without validation, a malicious actor can craft a link that leads users from the legitimate WordPress site to an attacker‑controlled domain, facilitating phishing or malicious site visits. The flaw does not provide direct code execution or data breach but undermines user trust and could compromise credentials if the user follows the deceptive link.

Delineated vendors: Aman & FunnelKit, product: FunnelKit Automations. The bug exists in all releases up to and including version 3.5.1; earlier releases may or may not be impacted but lack detailed versioning information. Sites running any of these affected plugin versions are susceptible.

The CVSS score of 4.7 indicates moderate threat potential. The EPSS score is reported as < 1%, which indicates a very low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog, further suggesting it is not actively exploited in the wild. Exploitation requires the ability to construct a URL that triggers the plugin’s redirect logic, most likely via a crafted request to a known endpoint that accepts a redirect query parameter. An attacker then lures users to a malicious domain. While the attack vector is straightforward for someone with access to send phishing emails or posts, the low EPSS reflects limited real‑world exploitation so far.