Description
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing.This issue affects Flexmls® IDX: from n/a through <= 3.15.7.
Published: 2025-12-09
Score: 4.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Flexmls® IDX plugin for WordPress implements an open redirect flaw that allows a malicious actor to redirect users to a URL of their choosing. The vulnerability arises because the plugin accepts arbitrary redirect targets without validating them. As a result, attackers can craft links that appear to come from the legitimate site, leading to phishing or malicious downloads. This is a CWE‑601 type weakness.

Affected Systems

The issue affects all installations of the Flexmls® IDX WordPress plugin from the earliest release up through version 3.15.7. Any WordPress site that has the plugin installed and is using a vulnerable version is at risk.

Risk and Exploitability

The CVSS base score of 4.7 indicates moderate severity. The EPSS score (<1%) shows a relatively low probability of exploitation at this time, and the vulnerability is not listed in CISA's KEV catalog. However, because an open redirect can be leveraged to deliver phishing content, the potential impact on user trust is significant. Exploitation requires only that a user click an attacker‑crafted link; no privileged access is needed. The attack vector is likely the web browser, as the vulnerability is triggered by a maliciously crafted URL processed by the plugin.

Generated by OpenCVE AI on April 29, 2026 at 11:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Flexmls® IDX plugin to a version newer than 3.15.7 to eliminate the open redirect weakness.
  • After updating, confirm that redirect URLs no longer permit external destinations by attempting to use a link that targets a known malicious site; the redirect should be blocked or ignored.
  • As a temporary safeguard, configure the plugin to allow redirects only to a strict whitelist of domains or disable the redirect capability if that option exists, to mitigate the risk until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 11:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 10 Dec 2025 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 10 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Tue, 09 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Dec 2025 14:30:00 +0000

Type Values Removed Values Added
Description URL Redirection to Untrusted Site ('Open Redirect') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Phishing.This issue affects Flexmls® IDX: from n/a through <= 3.15.7.
Title WordPress Flexmls® IDX plugin <= 3.15.7 - Open Redirection vulnerability
Weaknesses CWE-601
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:24:45.499Z

Reserved: 2025-12-09T12:21:39.680Z

Link: CVE-2025-67585

cve-icon Vulnrichment

Updated: 2025-12-09T20:40:31.536Z

cve-icon NVD

Status : Deferred

Published: 2025-12-09T16:18:36.390

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-67585

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:45:10Z

Weaknesses