CVE-2025-60089 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-60089?

CVE-2025-60089 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code through deserialization of untrusted data in the WP Gravity Forms FreshDesk Plugin. Attackers can achieve remote code execution by sending specially crafted requests. All WordPress sites using vulnerable versions of this plugin are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code through deserialization of untrusted data in the WP Gravity Forms FreshDesk Plugin. Attackers can achieve remote code execution by sending specially crafted requests. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP Gravity Forms FreshDesk Plugin (gf-freshdesk)

Versions: All versions up to and including 1.3.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with the vulnerable plugin enabled. No special configuration required for exploitation.

📦 What is this software?

Wp Gravity Forms Freshdesk Plugin by Crmperks

View all CVEs affecting Wp Gravity Forms Freshdesk Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, website defacement, malware installation, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to create backdoors, steal sensitive data, and use the server for malicious activities.

🟢

If Mitigated

Limited impact if proper web application firewalls and input validation are in place, though exploitation risk remains high.

🌐 Internet-Facing: HIGH - WordPress plugins are typically exposed to the internet and this vulnerability requires no authentication.

🏢 Internal Only: MEDIUM - Internal systems using the plugin could be exploited if attackers gain internal network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities are commonly weaponized. While no public PoC exists, exploitation is straightforward for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.6 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'WP Gravity Forms FreshDesk Plugin'. 4. Update to version 1.3.6 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate gf-freshdesk

Web Application Firewall Rules

all

Block requests containing serialized PHP objects or suspicious patterns

🧯 If You Can't Patch

Remove the plugin completely from all WordPress installations
Implement strict network segmentation to isolate affected systems

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Gravity Forms FreshDesk Plugin version

Check Version:

wp plugin get gf-freshdesk --field=version

Verify Fix Applied:

Verify plugin version is 1.3.6 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress admin-ajax.php or plugin endpoints
PHP deserialization errors in logs
Unexpected file creation in wp-content/uploads

Network Indicators:

HTTP requests containing serialized PHP objects (O: or C: patterns)
Traffic to known malicious domains from WordPress server

SIEM Query:

source="wordpress.log" AND ("gf-freshdesk" OR "admin-ajax.php") AND ("O:" OR "C:" OR "unserialize")

📊 Metadata

CVE ID: CVE-2025-60089

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/gf-freshdesk/vulnerability/wordpress-wp-gravity-forms-freshdesk-plugin-plugin-1-3-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60089, you might also want to check these: