CVE-2025-60180

CRM Perks · WP Gravity Forms Salesforce

The CRM Perks WP Gravity Forms Salesforce plugin is susceptible to deserialization of untrusted data, which can lead to arbitrary object injection.

Executive summary

A critical object injection vulnerability in the WP Gravity Forms Salesforce plugin enables remote code execution or unauthorized system access via deserialization of untrusted data.

Vulnerability

The plugin fails to safely handle deserialization of user-supplied data. This allows an attacker to inject malicious objects into the application, which can be leveraged for further exploitation.

Business impact

With a CVSS score of 9.8, this vulnerability represents a critical risk to the integrity and availability of the WordPress site. Successful exploitation could lead to full system compromise, allowing attackers to execute arbitrary code and gain access to sensitive Salesforce integration data.

Remediation

Immediate Action: Update the WP Gravity Forms Salesforce plugin to the most recent version provided by CRM Perks to resolve the deserialization flaw.

Proactive Monitoring: Monitor server logs for unusual serialized data patterns or anomalous traffic originating from the plugin's endpoints.

Compensating Controls: Utilize a WAF to inspect incoming traffic for known deserialization attack payloads, providing a temporary layer of protection.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of object injection vulnerabilities, organizations must treat this update with the highest urgency. Ensure the plugin is patched immediately to prevent remote exploitation of the WordPress environment.