The plugin exposes an open redirect flaw that allows an attacker to craft a URL that will redirect a user’s browser to an arbitrary, potentially malicious domain. This flaw is a classic Open Redirect (CWE‑601) and permits attackers to facilitate phishing campaigns, deceive site visitors into trusting malicious sites, or redirect traffic to compromise sites. The vulnerability can result in a loss of user trust, credential theft, or spread of malware through deceptive links. The vulnerability is confined to the WordPress plugin and is not a server‑wide flaw.

The affected product is the WordPress plugin "Integrations of Zoho CRM with Elementor form" provided by formsintegrations. All releases from the initial version up to and including 1.0.8 are vulnerable. No other vendors or products were listed, and no specific operating system or platform dependencies are mentioned beyond the WordPress environment.

The CVSS score of 4.7 indicates a medium impact severity. The EPSS score is reported as less than 1%, suggesting that exploitation is rare or low probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker supplying a malicious redirect URL in a form field or a crafted link that redirects site users to an attacker‑controlled site. While the impact is limited to redirecting traffic, the potential to facilitate phishing gives it attractiveness to attackers who already have a foothold in the site or a means to entice users into clicking. As the flaw is a low‑complexity open‑redirect flaw, it can be exploited by an unauthenticated attacker with access to the plugin’s parameters.