CVE-2025-60091 is a vulnerability in the CRM Perks WP Gravity Forms Zoho CRM and Bigin plugin, specifically affecting versions up to and including 1.2.9. The vulnerability is due to unsafe deserialization of untrusted data, which allows an attacker to perform object injection attacks. Deserialization is the process of converting serialized data back into objects; if this process is not securely handled, attackers can craft malicious serialized payloads that, when deserialized, execute arbitrary code or manipulate application logic. In this case, the plugin integrates WordPress Gravity Forms with Zoho CRM and Bigin, facilitating data exchange. The unsafe deserialization flaw can be exploited by sending specially crafted data to the plugin, potentially leading to remote code execution, privilege escalation, or data manipulation. No CVSS score has been assigned yet, and no patches or known exploits are currently reported. The vulnerability was reserved in September 2025 and published in December 2025. The lack of authentication requirements or user interaction details suggests the attack surface may be accessible remotely, increasing risk. The plugin’s role in CRM data handling means exploitation could compromise sensitive customer data and disrupt business operations. The absence of official patches necessitates immediate risk mitigation by organizations using this plugin in their WordPress environments.

For European organizations, exploitation of this vulnerability could lead to severe consequences including unauthorized access to customer relationship management data, remote code execution on web servers, and potential lateral movement within corporate networks. This could result in data breaches exposing personal and business-critical information, violating GDPR and other data protection regulations, leading to legal and financial penalties. The integrity and availability of CRM data could be compromised, disrupting sales, marketing, and customer support operations. Organizations relying on Zoho CRM and Bigin integrated via this plugin are particularly at risk. The impact is amplified for sectors with high regulatory scrutiny such as finance, healthcare, and government. Additionally, reputational damage from a breach could affect customer trust and business continuity. Since no patches are currently available, the window of exposure remains open, increasing the urgency for proactive defenses.

Until an official patch is released, European organizations should implement several specific mitigations: 1) Immediately audit and inventory all WordPress instances using the CRM Perks WP Gravity Forms Zoho CRM and Bigin plugin and identify affected versions. 2) Restrict access to endpoints handling serialized data by applying web application firewall (WAF) rules to detect and block suspicious serialized payloads or unusual POST requests. 3) Employ strict input validation and sanitization at the application or proxy level to prevent malicious data from reaching the deserialization routines. 4) Disable or limit plugin functionality if feasible, especially features that process external serialized input. 5) Monitor logs for anomalous activity indicative of exploitation attempts, such as unexpected serialized data or errors related to deserialization. 6) Isolate WordPress environments with this plugin from critical internal networks to contain potential breaches. 7) Plan and test patch deployment as soon as the vendor releases a fix. 8) Educate IT and security teams about this vulnerability to ensure rapid response to any incidents. These targeted actions go beyond generic advice and address the specific attack vector and environment.