CVE-2025-60090 – This vulnerability allows remote attackers to e... (How to Fix)

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on WordPress sites using the WP Gravity Forms Insightly plugin. Attackers can exploit insecure deserialization to inject malicious objects and gain control of affected systems. All WordPress sites running vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

WP Gravity Forms Insightly plugin

Versions: All versions up to and including 1.1.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Gravity Forms and the Insightly plugin installed

📦 What is this software?

Wp Gravity Forms Insightly by Crmperks

View all CVEs affecting Wp Gravity Forms Insightly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or website defacement

🟠

Likely Case

Unauthenticated remote code execution allowing attackers to create backdoors, steal data, or pivot to internal networks

🟢

If Mitigated

Limited impact if plugin is disabled or isolated with strict network controls

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CVSS 9.8 indicates trivial exploitation with high impact; deserialization vulnerabilities are commonly weaponized

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.7 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/gf-insightly/vulnerability/wordpress-wp-gravity-forms-insightly-plugin-1-1-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'WP Gravity Forms Insightly'
4. Click 'Update Now' if available
5. If no update appears, manually download version 1.1.7+ from WordPress repository
6. Deactivate old plugin, upload new version, activate

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate the WP Gravity Forms Insightly plugin until patched

wp plugin deactivate gf-insightly

Restrict plugin access

linux

Use web application firewall to block requests to vulnerable plugin endpoints

# Add to .htaccess:
<FilesMatch "\.(php|inc)$">
Order Deny,Allow
Deny from all
</FilesMatch>

🧯 If You Can't Patch

Remove the WP Gravity Forms Insightly plugin completely from all WordPress installations
Implement strict network segmentation and web application firewall rules to block all traffic to vulnerable endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for 'WP Gravity Forms Insightly' version ≤1.1.6

Check Version:

wp plugin get gf-insightly --field=version

Verify Fix Applied:

Confirm plugin version is 1.1.7 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-content/plugins/gf-insightly/
PHP deserialization errors in web server logs
Unexpected file creation in WordPress directories

Network Indicators:

HTTP requests containing serialized PHP objects
Traffic to known exploit patterns for CVE-2025-60090

SIEM Query:

source="web_logs" AND (uri_path="/wp-content/plugins/gf-insightly/" OR message="unserialize" OR message="PHP Object injection")

📊 Metadata

CVE ID: CVE-2025-60090

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/gf-insightly/vulnerability/wordpress-wp-gravity-forms-insightly-plugin-1-1-5-deserialization-of-untrusted-data-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60090, you might also want to check these: