CVE-2025-60178

CRM Perks · WP Gravity Forms HubSpot

The CRM Perks WP Gravity Forms HubSpot plugin contains a deserialization vulnerability that permits the injection of malicious objects.

Executive summary

A critical object injection flaw in the WP Gravity Forms HubSpot plugin creates a high risk of remote code execution and unauthorized data access due to unsafe deserialization.

Vulnerability

The vulnerability involves the unsafe deserialization of untrusted input within the plugin. An attacker can use this flaw to inject arbitrary objects, potentially leading to critical impacts on the host system.

Business impact

The CVSS score of 9.8 reflects the high severity of this vulnerability, which could result in complete compromise of the WordPress site. Impacted businesses face significant risks, including unauthorized access to HubSpot CRM data and potential lateral movement within the network.

Remediation

Immediate Action: Update the WP Gravity Forms HubSpot plugin to the latest version released by CRM Perks to mitigate the object injection risk.

Proactive Monitoring: Audit application logs for suspicious activity and monitor for unexpected changes in system configuration or database entries.

Compensating Controls: Implement a WAF to filter malicious payloads and block unauthorized access attempts specifically targeting the plugin's data processing functions.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Immediate remediation is required to secure the application against this critical vulnerability. Administrators should verify that the patch is applied and perform a security review of the environment following the update.