WordPress WP Gravity Forms Constant Contact Plugin (CRM Perks) contains an URL Redirection flaw that can be exploited to redirect users to arbitrary malicious sites. The vulnerability uses an open redirect mechanism (CWE‑601) that allows attackers to craft URLs that lead unsuspecting visitors to phishing or malware campaigns, thereby compromising confidentiality and enabling credential theft or other social‑engineering attacks. The effect is limited to user interaction with the plugin’s redirect feature; no arbitrary code execution or privilege escalation results from the flaw itself.

All installations of the CRM Perks WP Gravity Forms Constant Contact Plugin with version 1.1.0 or earlier are affected. The flaw exists globally across the plugin regardless of the referring WordPress installation because it is tied to the plugin’s internal redirect handling. Because the vulnerability is disclosed as affecting “n/a through <= 1.1.0,” any site that has not updated past this threshold may be vulnerable.

The CVSS score of 4.7 indicates moderate severity, and the EPSS score of <1% indicates a very low probability of exploitation in the wild. The flaw is web‑based and requires only an unauthenticated HTTP request containing the malicious redirect; it does not require any additional privileges or access. Though it is not yet listed in the CISA KEV catalog, the available data suggest that unpatched sites may attract spam or phishing campaigns that exploit open redirects, and attackers might chain this vulnerability with other weaknesses to increase success.