A critical vulnerability has been identified in the WP Gravity Forms Zoho CRM and Bigin plugin for WordPress, rated 9.8 out of 10. This flaw allows an unauthenticated attacker to inject malicious code and execute it on the server, potentially leading to a complete takeover of the affected website. Successful exploitation could result in data theft, website defacement, and further compromise of the underlying infrastructure.

The vulnerability is an insecure deserialization of untrusted data, which leads to a PHP Object Injection. The plugin improperly handles user-supplied data when deserializing it, failing to validate the input before processing. An unauthenticated attacker can craft a malicious serialized PHP object (a "gadget chain") and send it to the vulnerable application endpoint. When the plugin deserializes this payload, it can trigger a series of method calls on existing classes within the application's scope, ultimately resulting in arbitrary code execution on the server with the privileges of the web server process.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the high potential for severe business disruption. A successful exploit could grant an attacker complete control over the affected website, leading to the compromise of confidentiality, integrity, and availability. Potential consequences include theft of sensitive customer data from forms and the integrated CRM, unauthorized modification of the website, deployment of malware or ransomware, and using the compromised server as a pivot point to attack other systems on the network. Such an incident could lead to significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately update the WP Gravity Forms Zoho CRM and Bigin plugin to the latest version available (greater than 1.2.9) to patch the vulnerability. After patching, it is crucial to monitor for any signs of post-compromise activity by reviewing web server access logs, application logs, and system integrity for any unauthorized changes or suspicious connections.

Proactive Monitoring: Implement enhanced monitoring to detect exploitation attempts. Look for unusual POST requests in web server logs, particularly those containing long, encoded strings (e.g., Base64) which may represent serialized PHP objects. Monitor application error logs for exceptions related to deserialization. System-level monitoring should alert on the creation of unexpected files in web-accessible directories, new outbound network connections from the web server, and unexpected process execution.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attacks.
• If the plugin's functionality is not essential, disable and uninstall it until a patch can be applied safely.
• Restrict network access to the website and any administrative interfaces to only trusted IP addresses.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the potential for complete system compromise, this vulnerability poses a severe and immediate risk to the organization. Although CVE-2025-60091 is not currently listed on the CISA KEV catalog, its high impact makes it a prime candidate for future inclusion and an attractive target for attackers. We strongly recommend that organizations identify all instances of the vulnerable plugin and apply the vendor-supplied patch immediately as a top priority.