CVE-2025-67587 Overview
CVE-2025-67587 is an open redirect vulnerability in the CRM Perks WP Gravity Forms FreshDesk Plugin (gf-freshdesk) for WordPress. The flaw affects all plugin versions up to and including 1.3.5. Attackers can craft URLs that route users through the vulnerable WordPress site to attacker-controlled destinations. Because the redirect originates from a trusted domain, victims are more likely to trust the destination, enabling phishing and credential theft campaigns. The issue is tracked under CWE-601: URL Redirection to Untrusted Site.
Critical Impact
Attackers can abuse the trusted WordPress domain to redirect authenticated users to phishing sites, harvesting credentials and delivering malware under the guise of a legitimate business domain.
Affected Products
- CRM Perks WP Gravity Forms FreshDesk Plugin (gf-freshdesk)
- All versions from n/a through 1.3.5
- WordPress installations using Gravity Forms with the FreshDesk integration
Discovery Timeline
- 2025-12-09 - CVE-2025-67587 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-67587
Vulnerability Analysis
The vulnerability stems from improper validation of a user-controlled URL parameter used to construct an HTTP redirect. The plugin accepts a destination URL from a request parameter and issues a redirect without validating that the target belongs to an allowlisted domain or matches the site's own origin.
Exploitation requires user interaction. A victim must click a crafted link that points at the vulnerable WordPress site. The server then redirects the browser to the attacker's chosen host. The scope is changed because the redirect crosses a trust boundary from the trusted WordPress domain to an untrusted external site.
The primary impact is confidentiality loss through phishing. Attackers can clone the legitimate site's login page on the redirect target and capture submitted credentials. Integrity and availability are not directly affected by the redirect itself.
Root Cause
The root cause is missing or insufficient URL validation on a redirect parameter handled by the gf-freshdesk plugin. The plugin does not enforce an allowlist of trusted hosts and does not strip absolute URLs pointing to external domains before passing them to WordPress redirect functions such as wp_redirect().
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a URL that includes the vulnerable redirect endpoint on the target WordPress site together with an attacker-controlled destination. The attacker distributes the link through email, social media, or malvertising. When the victim clicks, the trusted WordPress domain performs the redirect, bypassing user suspicion and email link filters that trust the sending domain.
The vulnerability manifests in the plugin's request-handling code path. See the Patchstack advisory for technical details on the affected code path.
Detection Methods for CVE-2025-67587
Indicators of Compromise
- Web server access logs showing requests to gf-freshdesk plugin endpoints containing fully qualified external URLs in query parameters
- HTTP 302 responses from the WordPress site with Location headers pointing to external, non-allowlisted domains
- Referrer logs on unrelated systems showing inbound traffic redirected from the vulnerable WordPress domain
- Reports from users or customers describing phishing pages reached via links on the trusted site
Detection Strategies
- Inspect web server and WordPress access logs for redirect parameters containing http:// or https:// values that resolve to external hosts.
- Correlate outbound 302 redirects issued by the site with the destination domain reputation feeds.
- Deploy web application firewall rules that flag requests to plugin endpoints with URL-encoded external destinations.
Monitoring Recommendations
- Enable detailed request logging for all requests routed to wp-content/plugins/gf-freshdesk/.
- Alert on any HTTP redirect responses where the Location header host differs from the site's canonical domain.
- Monitor threat intelligence sources for phishing kits abusing the vulnerable domain as an initial hop.
How to Mitigate CVE-2025-67587
Immediate Actions Required
- Audit installed WordPress plugins and identify any site running gf-freshdesk version 1.3.5 or earlier.
- Update the WP Gravity Forms FreshDesk Plugin to a patched release as soon as the vendor publishes one.
- If no patched version is available, deactivate and remove the plugin until a fix ships.
- Review recent web logs for exploitation attempts and notify potentially phished users.
Patch Information
At the time of publication, the Patchstack advisory identifies all versions up to and including 1.3.5 as vulnerable. Administrators should monitor the CRM Perks vendor page and the WordPress plugin repository for a fixed release and apply it immediately upon availability.
Workarounds
- Deploy a web application firewall rule that blocks requests to gf-freshdesk endpoints containing external URLs in query parameters.
- Restrict access to the affected plugin endpoints via server configuration until a patch is installed.
- Educate users to verify the final destination of links, especially those arriving via email or messaging platforms.
# Example nginx rule to block external redirect payloads targeting the plugin
location ~* /wp-content/plugins/gf-freshdesk/ {
if ($args ~* "(redirect|url|return|next)=https?%3A%2F%2F") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

