The vulnerability is a deserialization of untrusted data flaw in the WP Gravity Forms Zoho CRM and Bigin plugin. It allows an attacker to craft and inject malicious PHP objects, effectively creating a deserialization-based object injection vector. This weakness, identified as CWE‑502, can lead to arbitrary code execution or unauthorized data manipulation once the input is processed by the plugin. The affected entity is the CRM Perks WP Gravity Forms Zoho CRM and Bigin WordPress plugin. Versions through 1.2.9 are compromised, meaning any site running the plugin at that version or earlier has no protection against the deserialization flaw. The CVSS score of 9.8 labels the issue as critical. The EPSS metric indicates a very low but non‑zero chance of exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely remote, relying on the plugin’s data handling routines; it probably does not require authentication, but the precise prerequisites are not explicitly detailed, so the safest assumption is that unauthenticated users can supply untrusted data.

The flaw affects the CRM Perks WP Gravity Forms Zoho CRM and Bigin plugin for WordPress, specifically any installation of the plugin at version 1.2.9 or earlier.

With a 9.8 CVSS rating the flaw is considered critical. The EPSS score of <1% suggests exploitation is presently unlikely, yet the severity warrants vigilance. Because the vulnerability is not in the KEV catalog it has not yet been reported as a widely used exploit, but the potential for remote code execution is significant.