CVE-2025-60091 is a critical vulnerability in the CRM Perks WP Gravity Forms Zoho CRM and Bigin WordPress plugin, specifically versions up to 1.2.9. The flaw arises from insecure deserialization of untrusted data, which allows attackers to perform object injection attacks. Deserialization vulnerabilities occur when untrusted input is deserialized without proper validation, enabling attackers to manipulate serialized objects to execute arbitrary code or alter application logic. In this case, the vulnerability impacts the 'gf-zoho' component, which integrates Gravity Forms with Zoho CRM and Bigin platforms. The vulnerability is remotely exploitable without authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). Successful exploitation can lead to full compromise of the affected system’s confidentiality, integrity, and availability, including arbitrary code execution, data leakage, and denial of service. Although no public exploits are currently known, the high CVSS score of 9.8 underscores the criticality of this issue. The vulnerability affects organizations using WordPress sites with this plugin to synchronize or manage customer relationship data with Zoho CRM or Bigin, which are popular CRM solutions. Attackers could leverage this flaw to gain persistent access, manipulate CRM data, or pivot within the network. The vulnerability was reserved in late September 2025 and published in December 2025, suggesting recent discovery and disclosure. No official patches or fixes are currently linked, emphasizing the need for immediate risk mitigation.

For European organizations, this vulnerability poses a severe threat to business continuity and data security, especially for those relying on WordPress-based CRM integrations with Zoho CRM or Bigin. Exploitation could lead to unauthorized access to sensitive customer data, intellectual property theft, and disruption of CRM services critical for sales and customer management. Given the criticality and unauthenticated remote exploitability, attackers could compromise multiple organizations rapidly, potentially affecting supply chains and customer trust. The impact extends beyond data loss to include reputational damage and regulatory penalties under GDPR due to exposure of personal data. Organizations in sectors such as finance, healthcare, retail, and government, which heavily rely on CRM systems, are particularly vulnerable. The lack of known exploits in the wild provides a narrow window for proactive defense, but the high severity demands urgent action to prevent exploitation. Additionally, the integration nature of the plugin means that compromise could facilitate lateral movement within enterprise networks, increasing the overall risk footprint.

Immediate mitigation should focus on monitoring and restricting access to WordPress admin interfaces and the affected plugin components. Organizations should apply any available patches from CRM Perks as soon as they are released. In the absence of patches, disabling or uninstalling the WP Gravity Forms Zoho CRM and Bigin plugin is recommended to eliminate the attack surface. Implementing strict input validation and sanitization on all data inputs related to the plugin can reduce risk. Deploying Web Application Firewalls (WAFs) with custom rules to detect and block malicious serialized payloads targeting the plugin’s endpoints can provide interim protection. Regularly audit WordPress installations for outdated plugins and monitor logs for suspicious activity indicative of exploitation attempts. Network segmentation to isolate WordPress servers from critical backend systems can limit attacker lateral movement. Additionally, organizations should review and tighten permissions for WordPress users and CRM integrations to minimize potential damage. Finally, ensure comprehensive backups are maintained and tested to enable rapid recovery if compromise occurs.