CVE-2025-60209 is a critical security vulnerability identified in the CRM Perks Connector for Gravity Forms and Google Sheets WordPress plugin, specifically in versions up to and including 1.2.6. The vulnerability arises from insecure deserialization of untrusted data, which allows an attacker to perform object injection attacks. Object injection vulnerabilities occur when user-controllable input is deserialized without proper validation or sanitization, enabling attackers to instantiate arbitrary objects that can manipulate application logic, execute arbitrary code, or escalate privileges. In this case, the vulnerability is remotely exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is severe, affecting confidentiality, integrity, and availability (C:H/I:H/A:H), meaning attackers can potentially execute arbitrary code, access sensitive data, modify or delete data, and disrupt services. The plugin serves as a connector between Gravity Forms—a popular WordPress form builder—and Google Sheets, facilitating data transfer and synchronization. Exploiting this vulnerability could allow attackers to compromise WordPress sites, steal or manipulate form data, and potentially pivot to other parts of the network. Although no known exploits are currently reported in the wild, the critical nature and ease of exploitation make it a high-risk threat. The vulnerability was reserved on 2025-09-25 and published on 2025-10-22, but no official patches or mitigations have been linked yet, indicating that affected users must be vigilant and proactive.

For European organizations, this vulnerability poses a significant risk, especially for those using WordPress sites with the CRM Perks Connector for Gravity Forms and Google Sheets plugin. The potential impacts include unauthorized access to sensitive customer data collected via forms, manipulation or deletion of critical business data, and complete site takeover. This could lead to data breaches violating GDPR regulations, resulting in legal penalties and reputational damage. Additionally, attackers could disrupt business operations by defacing websites or causing denial of service. Given the plugin's role in automating data workflows between Gravity Forms and Google Sheets, exploitation could compromise data integrity across multiple systems. Organizations in sectors such as e-commerce, finance, healthcare, and public services that rely on these integrations are particularly vulnerable. The lack of authentication and user interaction requirements increases the likelihood of automated mass exploitation attempts, further elevating the threat level.

1. Immediate action should be to monitor for an official patch from CRM Perks and apply it as soon as it becomes available. 2. Until a patch is released, consider disabling the Connector for Gravity Forms and Google Sheets plugin to eliminate the attack surface. 3. Restrict access to WordPress admin and plugin endpoints using IP whitelisting or web application firewall (WAF) rules to block suspicious requests targeting deserialization functions. 4. Implement network-level protections such as rate limiting and anomaly detection to identify and block exploitation attempts. 5. Conduct a thorough audit of WordPress sites to identify installations of the vulnerable plugin and assess exposure. 6. Review and harden WordPress security configurations, including disabling unnecessary plugins and enforcing least privilege principles. 7. Backup critical data regularly and ensure backups are isolated from the main network to enable recovery in case of compromise. 8. Educate IT and security teams about the vulnerability to ensure rapid detection and response to any suspicious activity. 9. Consider deploying runtime application self-protection (RASP) or endpoint detection and response (EDR) solutions capable of detecting exploitation attempts involving deserialization attacks.