The WP Clone any post type plugin (Galaxy Weblinks) contains an Open Redirect flaw (CWE‑601) that allows an attacker to engineer URLs which redirect visitors to arbitrary third‑party sites. When a user follows such a link, they may be taken to a phishing or malware site, compromising user trust and potentially facilitating credential theft. The vulnerability does not provide direct code execution or data exposure, but the manipulation of user navigation creates a vector for social‑engineering attacks.

This vulnerability affects the WP Clone any post type plugin for WordPress versions from the initial release through and including 3.6. The affected product is identical to the one distributed by Galaxy Weblinks on the WordPress plugin repository.

The CVSS score of 4.7 indicates moderate overall risk, while the EPSS score of less than 1 % reflects a low likelihood of exploitation at present. The flaw is not listed in CISA’s KEV catalog. An attacker can exploit the issue by supplying a crafted URL to the plugin that triggers an out‑of‑band HTTP redirect—any user who follows the link is exposed. No special credentials or elevated privileges are required, and the attack vector is most likely via a malicious link or embedded content shared through email, social media, or other publicly accessible channels.