Deserialization Vulnerability in WP Gravity Forms Insightly by CRM Perks
CVE-2025-60090

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
WP Gravity Forms Insightly
Vendor
CVE Published:
18 December 2025

What is CVE-2025-60090?

A deserialization of untrusted data vulnerability exists in the WP Gravity Forms Insightly plugin developed by CRM Perks. This flaw allows for object injection, enabling attackers to exploit the application if untrusted data is processed. Affected versions are those prior to or equal to 1.1.6, which may permit unauthorized commands or access to sensitive data through this vulnerability.

Affected Version(s)

WP Gravity Forms Insightly <= n/a

References

https://vdp.patchstack.com/database/Wordpress/Plugin/gf-i...
vdb-entry

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Phat RiO - BlueRock | Patchstack Bug Bounty Program
JSON
.
CVE-2025-60090 : Deserialization Vulnerability in WP Gravity Forms Insightly by CRM Perks