CVE-2025-60174 – This vulnerability allows attackers to execute ... (How to Fix)

Q: What is the severity of CVE-2025-60174?

CVE-2025-60174 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to execute arbitrary code on WordPress sites using the Gravity Forms Constant Contact plugin by exploiting insecure deserialization. Attackers can achieve remote code execution, data theft, or complete site compromise. All WordPress sites running affected plugin versions are vulnerable.

📋 TL;DR

This vulnerability allows attackers to execute arbitrary code on WordPress sites using the Gravity Forms Constant Contact plugin by exploiting insecure deserialization. Attackers can achieve remote code execution, data theft, or complete site compromise. All WordPress sites running affected plugin versions are vulnerable.

💻 Affected Systems

Products:

WP Gravity Forms Constant Contact Plugin (gf-constant-contact)

Versions: All versions up to and including 1.1.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress with Gravity Forms and Constant Contact plugin installed. No special configuration needed for exploitation.

📦 What is this software?

Wp Gravity Forms Constant Contact Plugin by Crmperks

View all CVEs affecting Wp Gravity Forms Constant Contact Plugin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data exfiltration, ransomware deployment, or use as attack platform for lateral movement.

🟠

Likely Case

Website defacement, credential theft, malware injection, or unauthorized administrative access to the WordPress site.

🟢

If Mitigated

Limited impact if proper web application firewalls and input validation are in place, though risk remains significant.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities are commonly weaponized. CVSS 9.8 indicates trivial exploitation with high impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/gf-constant-contact/vulnerability/wordpress-wp-gravity-forms-constant-contact-plugin-plugin-1-1-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Gravity Forms Constant Contact Plugin'. 4. Click 'Update Now' if available. 5. If no update appears, manually download version 1.1.3+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate gf-constant-contact

Web Application Firewall Rule

all

Block deserialization attempts at WAF level

Add rule to block requests containing serialized PHP objects in POST/PUT data

🧯 If You Can't Patch

Isolate affected WordPress instance behind strict network segmentation
Implement comprehensive monitoring for unusual PHP process activity and file modifications

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for 'WP Gravity Forms Constant Contact Plugin' version 1.1.2 or earlier

Check Version:

wp plugin get gf-constant-contact --field=version

Verify Fix Applied:

Confirm plugin version is 1.1.3 or later in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress admin-ajax.php or plugin endpoints
PHP errors related to unserialize() or object injection
Unexpected file creation in wp-content/uploads

Network Indicators:

HTTP requests with serialized data in parameters
Traffic patterns suggesting reconnaissance of plugin endpoints

SIEM Query:

source="wordpress.log" AND ("unserialize" OR "gf-constant-contact" OR "admin-ajax.php") AND status>=400

📊 Metadata

CVE ID: CVE-2025-60174

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

EPSS Score: 0.06% exploit probability (18.1th percentile)

Published: December 18, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/gf-constant-contact/vulnerability/wordpress-wp-gravity-forms-constant-contact-plugin-plugin-1-1-2-deserialization-of-untrusted-data-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60174, you might also want to check these: