The WP Gravity Forms Keap/Infusionsoft WordPress plugin (gf-infusionsoft) has a Medium-severity Open Redirect vulnerability (CVSS 4.3) tracked as CVE-2025-58006. Affected versions include all versions up to and including 1.2.4. According to the published advisory, there is no known patch available at this time.

Attack Vectors

This issue can be exploited by an unauthenticated attacker who can get a user to click a crafted link or complete a specific action that triggers a redirect. Because the redirect destination can be influenced, the user may be sent to an attacker-controlled site that looks legitimate (for example, a fake login page or a “document download” prompt).

For business teams, the most realistic scenario is phishing that leverages your real domain. Attackers prefer redirecting through trusted brands and domains because it can improve click-through rates and reduce suspicion for recipients.

Security Weakness

The vulnerability is caused by insufficient validation of a supplied redirect URL. In practical terms, the plugin may accept a redirect destination that should be blocked (such as an external, untrusted domain), enabling an attacker to route visitors away from your website.

This is not described as data theft by itself, but it can become a high-impact social engineering enabler when paired with convincing messaging, brand impersonation, or lookalike login pages.

Reference: Wordfence advisory source: Wordfence Vulnerability Database entry.

Technical or Business Impacts

Brand and trust risk: Customers and partners may see your domain in the link and assume it is safe, increasing the chance they engage with the attacker’s content. This can lead to reputational damage even if your site was not otherwise “hacked.”

Phishing and credential theft enablement: Redirects are commonly used to move users to fake portals (email, CRM, file-sharing, HR), potentially resulting in compromised accounts elsewhere in the business.

Compliance and reporting implications: If customers are redirected to malicious destinations via your domain, your compliance or legal teams may need to assess notification obligations, third-party risk exposure, and contractual security requirements.

Recommended response (given no known patch): Review your risk tolerance and consider uninstalling WP Gravity Forms Keap/Infusionsoft and replacing it with an alternative integration. If removal is not immediately possible, consider mitigations such as restricting who can trigger affected flows, adding monitoring for suspicious redirect patterns, and implementing protective controls (for example, security tooling that can block known malicious destinations and alert on phishing-style activity).

Similar Attacks

OWASP documents how unvalidated redirects are commonly abused in phishing and social engineering workflows: OWASP: Unvalidated Redirects and Forwards.

PortSwigger provides practical examples showing how open redirects can be chained into real-world attack paths (often to increase the credibility of malicious links): PortSwigger Web Security Academy: Open Redirection.