This vulnerability allows an attacker to inject arbitrary PHP objects by deserializing data from external sources. The flaw is rooted in the deserialization handling within the Gravity Forms Keap/Infusionsoft plugin, which processes user-supplied input without adequate validation. Exploitation of this weakness can provide the attacker with the ability to execute arbitrary code on the target WordPress installation, jeopardizing system integrity and data confidentiality.

The issue affects the Gravity Forms Keap/Infusionsoft plugin provided by CRM Perks, version 1.2.3 and all earlier releases. The plugin integrates with WordPress installations that use Gravity Forms to collect and manage form data. Any site that has this plugin installed and is running a vulnerable version is potentially affected.

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% shows a low yet non‑zero probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed widespread exploitation yet. The likely attack vector is remote, through crafted requests to the plugin’s deserialization endpoint. An attacker with network access to the WordPress site could supply malicious payloads, triggering the deserialization and enabling code execution.