CVE-2025-60180
CRM Perks · WP Gravity Forms Salesforce
The CRM Perks WP Gravity Forms Salesforce plugin is susceptible to deserialization of untrusted data, which can lead to arbitrary object injection.
Executive summary
A critical object injection vulnerability in the WP Gravity Forms Salesforce plugin enables remote code execution or unauthorized system access via deserialization of untrusted data.
Vulnerability
The plugin fails to safely handle deserialization of user-supplied data. This allows an attacker to inject malicious objects into the application, which can be leveraged for further exploitation.
Business impact
With a CVSS score of 9.8, this vulnerability represents a critical risk to the integrity and availability of the WordPress site. Successful exploitation could lead to full system compromise, allowing attackers to execute arbitrary code and gain access to sensitive Salesforce integration data.
Remediation
Immediate Action: Update the WP Gravity Forms Salesforce plugin to the most recent version provided by CRM Perks to resolve the deserialization flaw.
Proactive Monitoring: Monitor server logs for unusual serialized data patterns or anomalous traffic originating from the plugin's endpoints.
Compensating Controls: Utilize a WAF to inspect incoming traffic for known deserialization attack payloads, providing a temporary layer of protection.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of object injection vulnerabilities, organizations must treat this update with the highest urgency. Ensure the plugin is patched immediately to prevent remote exploitation of the WordPress environment.