CVE-2025-30954: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-30954 is an Open Redirect vulnerability affecting the WP Gravity Forms Constant Contact Plugin versions through 1.1.0. This security flaw was discovered and reported on April 26, 2025, and publicly disclosed on June 5, 2025. The vulnerability allows for URL Redirection to Untrusted Sites, which could potentially be exploited for phishing attacks (Patchstack).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) and has received a CVSS v3.1 Base Score of 4.7 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N. The vulnerability can be exploited without authentication, indicating that any user can potentially trigger the redirect functionality (NVD, Patchstack).

The vulnerability allows malicious actors to redirect users from legitimate sites to potentially malicious ones due to insufficient validation of redirect URLs. This could be leveraged in phishing campaigns where users believe they are visiting a legitimate site but are redirected to a malicious one (Patchstack).

The vulnerability has been fixed in version 1.1.1 of the WP Gravity Forms Constant Contact Plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update functionality for vulnerable plugins (Patchstack).