CVE-2025-60178
CRM Perks · WP Gravity Forms HubSpot
The CRM Perks WP Gravity Forms HubSpot plugin contains a deserialization vulnerability that permits the injection of malicious objects.
Executive summary
A critical object injection flaw in the WP Gravity Forms HubSpot plugin creates a high risk of remote code execution and unauthorized data access due to unsafe deserialization.
Vulnerability
The vulnerability involves the unsafe deserialization of untrusted input within the plugin. An attacker can use this flaw to inject arbitrary objects, potentially leading to critical impacts on the host system.
Business impact
The CVSS score of 9.8 reflects the high severity of this vulnerability, which could result in complete compromise of the WordPress site. Impacted businesses face significant risks, including unauthorized access to HubSpot CRM data and potential lateral movement within the network.
Remediation
Immediate Action: Update the WP Gravity Forms HubSpot plugin to the latest version released by CRM Perks to mitigate the object injection risk.
Proactive Monitoring: Audit application logs for suspicious activity and monitor for unexpected changes in system configuration or database entries.
Compensating Controls: Implement a WAF to filter malicious payloads and block unauthorized access attempts specifically targeting the plugin's data processing functions.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Immediate remediation is required to secure the application against this critical vulnerability. Administrators should verify that the patch is applied and perform a security review of the environment following the update.