The WordPress WP Gravity Forms Salesforce plugin contains a deserialization bug that allows an attacker to inject PHP objects via untrusted data. This PHP Object Injection can lead to arbitrary code execution on the server, granting the attacker the ability to compromise the web application. The flaw stems from the plugin's handling of form submissions that are deserialized without proper validation, and the vulnerability is identified as CWE‑502.

The affected software is the CRM Perks WP Gravity Forms Salesforce WordPress plugin for all installations up to and including version 1.5.1. Any WordPress site running the plugin in those versions without an upgrade is potentially exposed.

The vulnerability can be leveraged by an attacker to inject PHP objects via untrusted data processed by the plugin. Based on the description, an attacker may be able to exploit this flaw by submitting specially crafted data to the form handling logic, although the exact exploitation vector is not detailed in the advisory. The EPSS score of less than 1 % indicates a low probability of current exploitation, and the issue is not listed in CISA KEV. The high CVSS of 9.8 signals a critical severity; therefore, administrators should consider the risk high and take remedial action.