A critical vulnerability has been discovered in the WP Gravity Forms Insightly plugin for WordPress, identified as CVE-2025-60090. This flaw allows an unauthenticated attacker to inject malicious code and potentially gain complete control over the affected website. Due to its critical severity (CVSS score of 9.8), immediate action is required to prevent system compromise, data theft, or further network intrusion.

The vulnerability is a Deserialization of Untrusted Data, which leads to PHP Object Injection. The application improperly handles serialized data from an untrusted source. An attacker can submit a specially crafted data string (a serialized object) to the application, and when the application deserializes this string, it can trigger the execution of arbitrary code embedded within the object's methods. This type of attack often does not require authentication and can result in a full remote code execution (RCE) on the web server.

This vulnerability is rated as critical with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server hosting the WordPress site. The potential consequences include theft of sensitive data submitted through forms (such as customer PII), financial information, and user credentials. An attacker could also deface the website, install malware or ransomware, use the compromised server as a pivot point to attack other internal network resources, or use it to launch attacks against external targets, leading to significant reputational damage, financial loss, and potential regulatory penalties.

Immediate Action: Immediately update the WP Gravity Forms Insightly plugin to the latest secure version (newer than 1.1.6) as recommended by the vendor, CRM Perks. After patching, review web server access logs and audit system files for any signs of compromise that may have occurred prior to the update.

Proactive Monitoring: Monitor web server logs for suspicious POST requests, particularly those containing long, encoded strings characteristic of serialized PHP objects. Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins. Watch for unexpected outbound network connections or processes spawned by the web server user (e.g., www-data, apache).

Compensating Controls: If immediate patching is not feasible, the plugin should be disabled immediately to remove the attack surface. A properly configured Web Application Firewall (WAF) may provide partial protection by blocking requests with common object injection patterns, but this should be considered a temporary mitigation and not a substitute for patching.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high probability of leading to remote code execution, this vulnerability poses a severe risk to the organization. All administrators of websites using the WP Gravity Forms Insightly plugin must prioritize updating to a patched version immediately. Due to the likelihood of future exploitation, this vulnerability should be treated with the highest urgency, equivalent to a vulnerability on the CISA KEV list.