A high-severity vulnerability, identified as CVE-2025-60209, has been discovered in the CRM Perks Connector for Gravity Forms and Google Sheets WordPress plugin. This flaw allows an unauthenticated attacker to inject malicious code and potentially take full control of the affected website. Organizations using this plugin are at significant risk of data breaches, website defacement, and further network compromise.

The vulnerability is a Deserialization of Untrusted Data flaw within the WordPress plugin. An unauthenticated attacker can send a specially crafted serialized PHP object to an endpoint handled by the plugin. The application insecurely deserializes this data without proper validation, which can instantiate a malicious object in memory. By leveraging existing code within the WordPress environment (known as a "POP chain"), an attacker can trigger a chain of events leading to arbitrary code execution, file manipulation, or other unauthorized actions on the web server.

This is a high-severity vulnerability with a CVSS score of 8.2, posing a significant risk to the business. Successful exploitation could lead to a complete compromise of the web server hosting the affected WordPress site. The potential consequences include theft of sensitive data from the website's database (such as customer information or form submissions), service disruption, website defacement, and the use of the compromised server as a launch point for further attacks against the internal network, leading to severe financial and reputational damage.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately. All systems running the "CRM Perks Connector for Gravity Forms and Google Sheets" plugin should be identified and patched as a top priority. Following the update, administrators should monitor for any signs of exploitation attempts by reviewing web server and application access logs.

Proactive Monitoring: Security teams should monitor web server access logs for unusual POST requests, particularly those containing long, encoded strings which may indicate a serialized object. Monitor PHP and application error logs for deserialization-related errors. File Integrity Monitoring (FIM) should be used to detect unauthorized changes to plugin files, and network traffic should be monitored for any suspicious outbound connections from the web server.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection attempts. As a temporary measure, consider disabling the affected plugin until it can be safely updated. Restricting access to pages utilizing the plugin to trusted IP addresses can also reduce the attack surface.

Public Exploit Available: false

Given the high CVSS score of 8.2 and the potential for unauthenticated remote code execution, this vulnerability represents a critical risk. Although it is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a likely target for future exploitation. We strongly recommend that all organizations using the affected plugin prioritize applying the vendor-supplied patch immediately to prevent potential system compromise.