CVE-2025-49325: 
WordPress vulnerability analysis and mitigation

URL Redirection to Untrusted Site ('Open Redirect') vulnerability was discovered in Automattic Newspack Newsletters affecting versions through 3.13.0. The vulnerability was disclosed on June 5, 2025, and assigned identifier CVE-2025-49325 (NVD, CVE).

The vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site) with a CVSS v3.1 Base Score of 4.7 (MEDIUM). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requires no privileges (PR:N), needs user interaction (UI:R), has changed scope (S:C), and can impact confidentiality (C:L) with no effect on integrity (I:N) or availability (A:N) (Patchstack).

The vulnerability could allow malicious actors to redirect users from legitimate sites to malicious ones due to insufficient validation of redirect URLs. This could potentially lead to phishing incidents where users are tricked into visiting what they believe is a legitimate site (Patchstack).

The vulnerability has been patched in version 3.14.0 of the Newspack Newsletters plugin. Users are advised to update to this version or later to remove the vulnerability. The security issue has been classified as having a low severity impact and is considered unlikely to be exploited (Patchstack).