The vulnerability is an instance of deserialization of untrusted data that permits object injection, as identified by CWE-502. An attacker can supply specially crafted input that, when deserialized by the CRM Perks WP Gravity Forms Constant Contact Plugin, results in arbitrary code execution on the host running WordPress. The CVSS score of 9.8 reflects the high severity and full impact on confidentiality, integrity, and availability if exploited.

WordPress sites that have installed the CRM Perks WP Gravity Forms Constant Contact Plugin version 1.1.2 or older. The affected product is the WordPress plugin "WP Gravity Forms Constant Contact" developed by CRM Perks. No specific version numbers below 1.1.2 are listed beyond "n/a" to "<= 1.1.2".

The EPSS score indicates a very low probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited known exploitation. However, the attack vector is likely remote, exploiting HTTP requests that carry serialized data processed by the plugin. If an attacker can upload or inject payloads—either through form submissions or by manipulating plugin settings—they could trigger the deserialization and achieve remote code execution. Therefore, despite the low exploitation probability, the potential impact is catastrophic if the vulnerability is exploitable in a live environment.