CVE-2025-60090 is a critical vulnerability identified in the CRM Perks WP Gravity Forms Insightly plugin, specifically affecting versions up to and including 1.1.6. The flaw arises from insecure deserialization of untrusted data, which allows attackers to perform object injection attacks. Deserialization vulnerabilities occur when untrusted input is processed by the application’s deserialization routines without proper validation or sanitization, enabling attackers to manipulate serialized objects to execute arbitrary code or commands. In this case, the vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation can lead to full compromise of the affected WordPress site’s confidentiality, integrity, and availability, potentially allowing attackers to execute arbitrary PHP code, access sensitive data, modify site content, or disrupt services. The vulnerability affects the WP Gravity Forms Insightly plugin, which integrates Gravity Forms with the Insightly CRM system, commonly used to capture and manage customer data. Despite no known exploits currently in the wild, the critical severity and ease of exploitation make this a high-priority threat. The absence of available patches at the time of publication increases the urgency for organizations to implement interim mitigations and monitor their environments closely.

For European organizations, the impact of CVE-2025-60090 can be severe. Many businesses rely on WordPress for their websites and customer engagement platforms, often integrating CRM tools like Insightly to manage client relationships. Exploitation could lead to unauthorized access to sensitive customer data, including personal and financial information, violating GDPR and other data protection regulations, resulting in legal penalties and reputational damage. The ability to execute arbitrary code remotely can also facilitate ransomware attacks, website defacement, or use of compromised servers as pivot points for further network intrusion. E-commerce platforms, government portals, and service providers using the vulnerable plugin are particularly at risk. The disruption of availability could lead to loss of business continuity and customer trust. Given the critical nature of the vulnerability and the potential for widespread exploitation, European organizations must act swiftly to mitigate risks.

1. Immediate identification and inventory of WordPress sites using the WP Gravity Forms Insightly plugin, especially versions up to 1.1.6. 2. Apply any available patches or updates from CRM Perks as soon as they are released. If no patch is available, consider temporarily disabling or uninstalling the plugin to eliminate exposure. 3. Restrict access to WordPress administrative interfaces and plugin endpoints via IP whitelisting or VPN to reduce attack surface. 4. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious serialized payloads or object injection attempts targeting the plugin. 5. Monitor logs for unusual activity, including unexpected POST requests to Gravity Forms endpoints or anomalous PHP execution patterns. 6. Conduct regular backups of website data and configurations to enable rapid recovery in case of compromise. 7. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates. 8. Consider deploying runtime application self-protection (RASP) solutions to detect and prevent exploitation attempts in real-time.