The gf-zoho plugin contains an open redirect flaw that permits malicious actors to redirect site users to externally defined URLs without validation. This CWE-601 weakness can be exploited to facilitate phishing attacks or drive users to malware sites, compromising confidentiality and potentially leading to credential theft. The vulnerability does not allow arbitrary code execution, but it enables attackers to manipulate the user’s navigation flow.

The vulnerability affects the WordPress plugin ‘gf‑zoho’ developed by CRM Perks, used as WP Gravity Forms Zoho CRM and Bigin. All releases up to and including version 1.2.8 are impacted. The issue is present for any installation with the plugin enabled on a WordPress site.

The CVSS score of 4.7 classifies the flaw as moderate severity, while the EPSS score of less than 1% indicates a low likelihood of active exploitation at present. The plugin is not listed in the CISA KEV catalog. Exploitation would generally occur through crafted links sent to users or embedded in the plugin’s administrative interface, redirecting them to an attacker‑controlled site. No special privileges or authentication are required, making the attack feasible from an unauthenticated standpoint.