The CVE is a deserialization of untrusted data flaw in the WP Gravity Forms Insightly plugin, allowing an attacker to inject a PHP object that could lead to arbitrary code execution on the WordPress site. The weakness is identified as CWE‑502 and the vendor release notes indicate that any installation of the plugin up to and including version 1.1.6 is affected. The bug permits an attacker to craft malicious serialized input that the plugin processes without adequate validation, which can result in execution of code with the permissions of the web server process.

Vulnerable systems contain the WordPress plugin "WP Gravity Forms Insightly" from the vendor CRM Perks. Any installation of the plugin dated from the earliest release through version 1.1.6 is susceptible. No specific WordPress core or PHP version limitations were disclosed in the advisory, so a broad range of sites using this plugin may be impacted.

The CVSS score of 9.8 classifies this as Critical, with a high likelihood of exploitation if an attacker can supply crafted input. The EPSS score of less than 1% suggests that, at the time of analysis, currently observed exploitation probability is low, though the flaw remains severe. It is not listed in the CISA KEV catalog, indicating no confirmed public exploitation yet. The most likely attack vector is remote, via a crafted HTTP request to a plugin endpoint that deserializes user-supplied data. Successful exploitation would give the attacker code execution on the affected WordPress host.