A deserialization vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin allows object injection when untrusted data is processed. The flaw can enable an attacker to inject malicious objects that ultimately lead to remote code execution or arbitrary code execution on the host server. The weakness is identified as CWE‑502, a serious flaw that compromises the integrity and confidentiality of the system.

The vulnerability affects installations of the WP Gravity Forms FreshDesk Plugin from any version through 1.3.5. Users running the plugin on any WordPress site should verify they are operating on a version newer than 1.3.5.

The CVSS score of 9.8 classifies this issue as critical. The EPSS score is less than 1 %, indicating a low current exploitation probability, although the vulnerability remains unlisted in the CISA KEV catalog. The likely attack path involves an attacker crafting a serialized payload that is processed by the plugin’s deserialization routine, which can be triggered through a publicly exposed API endpoint or form submission. If successful, the attacker can execute arbitrary code with the permissions of the web server process.