CVE-2025-60091 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-60091?

CVE-2025-60091 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary code through deserialization of untrusted data in the WP Gravity Forms Zoho CRM and Bigin plugin. It affects WordPress sites using vulnerable versions of this plugin. Attackers can achieve remote code execution without authentication.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code through deserialization of untrusted data in the WP Gravity Forms Zoho CRM and Bigin plugin. It affects WordPress sites using vulnerable versions of this plugin. Attackers can achieve remote code execution without authentication.

💻 Affected Systems

Products:

WP Gravity Forms Zoho CRM and Bigin (gf-zoho)

Versions: All versions up to and including 1.2.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects WordPress installations with the vulnerable plugin activated.

📦 What is this software?

Wp Gravity Forms Zoho Crm And Bigin by Crmperks

View all CVEs affecting Wp Gravity Forms Zoho Crm And Bigin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the WordPress site with remote code execution, data theft, and potential lateral movement to other systems.

🟠

Likely Case

Remote code execution leading to website defacement, malware installation, or data exfiltration.

🟢

If Mitigated

Limited impact if proper input validation and security controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities are commonly exploited and weaponized quickly.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.0 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/gf-zoho/vulnerability/wordpress-wp-gravity-forms-zoho-crm-and-bigin-plugin-1-2-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'WP Gravity Forms Zoho CRM and Bigin'. 4. Update to version 1.3.0 or later. 5. Verify update completed successfully.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patching is possible.

wp plugin deactivate gf-zoho

Restrict Access

all

Use web application firewall to block requests to vulnerable endpoints.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all plugin inputs
Deploy web application firewall with deserialization attack detection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WP Gravity Forms Zoho CRM and Bigin version number

Check Version:

wp plugin list --name='WP Gravity Forms Zoho CRM and Bigin' --field=version

Verify Fix Applied:

Verify plugin version is 1.3.0 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin endpoints
PHP deserialization errors in logs
Unexpected file creation or modification

Network Indicators:

HTTP requests containing serialized PHP objects
Traffic patterns to plugin-specific endpoints

SIEM Query:

source="wordpress.log" AND ("gf-zoho" OR "zoho-crm") AND ("unserialize" OR "deserialization" OR "php_object")

📊 Metadata

CVE ID: CVE-2025-60091

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/gf-zoho/vulnerability/wordpress-wp-gravity-forms-zoho-crm-and-bigin-plugin-1-2-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60091, you might also want to check these: