Description
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.
Published: 2025-12-18
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the deserialization of untrusted data within the WP Gravity Forms HubSpot plugin, allowing attackers to perform object injection. This flaw can be leveraged to execute arbitrary PHP code on the web server, compromising confidentiality, integrity, and availability of the affected system. The high CVSS score of 9.8 reflects the potential for full system compromise if exploited.

Affected Systems

The flaw affects the CRM Perks WP Gravity Forms HubSpot plugin for WordPress, specifically all installations of versions 1.2.6 and earlier. Users running any of these versions are at risk until the plugin is updated or otherwise mitigated.

Risk and Exploitability

The security score of 9.8 signals critical severity, but the EPSS rating of <1% indicates that exploitation activity is expected to be rare at present. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to deliver malicious serialized payloads to the plugin’s deserialization routine, typically via user‑submittable fields or crafted requests. Given the nature of PHP unserialize functions, successful exploitation could grant remote code execution with the privileges of the web server process.

Generated by OpenCVE AI on April 29, 2026 at 13:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WP Gravity Forms HubSpot plugin to a version newer than 1.2.6 if a fix is released.
  • If upgrading is not immediately possible, disable or remove the plugin from the WordPress installation to eliminate the deserialization path.
  • Implement a web application firewall rule that detects and blocks malicious payloads targeting PHP unserialize calls within the plugin’s endpoints.

Generated by OpenCVE AI on April 29, 2026 at 13:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 31 Dec 2025 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Crmperks
Crmperks wp Gravity Forms Hubspot
CPEs cpe:2.3:a:crmperks:wp_gravity_forms_hubspot:*:*:*:*:*:wordpress:*:*
Vendors & Products Crmperks
Crmperks wp Gravity Forms Hubspot

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Crm Perks
Crm Perks wp Gravity Forms Hubspot
Wordpress
Wordpress wordpress
Vendors & Products Crm Perks
Crm Perks wp Gravity Forms Hubspot
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms HubSpot gf-hubspot allows Object Injection.This issue affects WP Gravity Forms HubSpot: from n/a through <= 1.2.6.
Title WordPress WP Gravity Forms HubSpot plugin <= 1.2.6 - Deserialization of untrusted data vulnerability
Weaknesses CWE-502
References

Subscriptions

Crm Perks Wp Gravity Forms Hubspot
Crmperks Wp Gravity Forms Hubspot
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T18:39:12.738Z

Reserved: 2025-09-25T15:28:19.138Z

Link: CVE-2025-60178

cve-icon Vulnrichment

Updated: 2025-12-18T15:49:42.640Z

cve-icon NVD

Status : Modified

Published: 2025-12-18T08:16:09.603

Modified: 2026-01-20T15:17:28.853

Link: CVE-2025-60178

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:15:11Z

Weaknesses