CVE-2025-60090 identifies a critical vulnerability in the CRM Perks WP Gravity Forms Insightly WordPress plugin, specifically in versions up to 1.1.6. The vulnerability is a deserialization of untrusted data issue, which allows an attacker to perform object injection attacks. Deserialization vulnerabilities occur when untrusted input is deserialized without proper validation or sanitization, enabling attackers to inject malicious objects that can alter program flow or execute arbitrary code. In this case, the plugin processes serialized data inputs related to Gravity Forms integration with Insightly CRM. An attacker exploiting this vulnerability could potentially execute arbitrary PHP code on the server, leading to full system compromise, data theft, or site defacement. The vulnerability does not require prior authentication or user interaction, increasing its risk profile. Although no public exploits have been reported yet, the nature of object injection vulnerabilities makes them attractive targets for attackers. The plugin is widely used in WordPress environments to facilitate CRM data management, making affected sites vulnerable. The lack of a CVSS score indicates that the vulnerability is newly published and pending detailed scoring. The vulnerability was reserved in September 2025 and published in December 2025, with no patch links currently available, suggesting that remediation may still be in progress.

For European organizations, exploitation of CVE-2025-60090 could lead to severe consequences including unauthorized access to sensitive customer data managed via Insightly CRM, disruption of business operations due to website defacement or downtime, and potential lateral movement within corporate networks if the WordPress server is part of a broader infrastructure. The confidentiality of CRM data is at risk, which may include personal data protected under GDPR, leading to regulatory and reputational damage. Integrity of data and systems can be compromised through arbitrary code execution, while availability may be affected if attackers deploy ransomware or cause service outages. Organizations relying heavily on WordPress and the CRM Perks plugin for customer relationship management are particularly vulnerable. The absence of known exploits currently provides a window for proactive mitigation, but the ease of exploitation without authentication elevates the threat level. Attackers targeting European businesses, especially those in sectors like finance, retail, and professional services that use Insightly CRM, could leverage this vulnerability for espionage or disruption.

European organizations should immediately inventory their WordPress installations to identify the presence of the CRM Perks WP Gravity Forms Insightly plugin and verify the version in use. Until a vendor patch is released, it is advisable to disable or uninstall the plugin to eliminate the attack surface. Implement strict input validation and sanitization controls where possible, and monitor web server logs for suspicious serialized payloads or unusual POST requests targeting Gravity Forms endpoints. Employ web application firewalls (WAFs) with custom rules to detect and block deserialization attack patterns. Regularly update WordPress core, plugins, and themes to reduce exposure to known vulnerabilities. Conduct penetration testing focusing on deserialization vectors and object injection attempts. Additionally, ensure robust backup and incident response plans are in place to quickly recover from potential compromises. Engage with the vendor for timely patch releases and subscribe to vulnerability advisories to stay informed.