CVE-2025-58636
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-58636 is a Deserialization of Untrusted Data vulnerability (CWE-502) in the CRM Perks WP Gravity Forms Keap/Infusionsoft plugin (gf-infusionsoft) for WordPress. Published on 2025-11-06, it enables Object Injection and affects all versions from n/a through 1.2.3 inclusive.
The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), making it exploitable by remote, unauthenticated attackers over the network with low attack complexity and no user interaction required. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or other severe compromises via injected objects.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/gf-infusionsoft/vulnerability/wordpress-wp-gravity-forms-keap-infusionsoft-plugin-1-2-3-deserialization-of-untrusted-data-vulnerability?_s_id=cve provides details on the issue; security practitioners should review it for recommended mitigations, such as updating to a patched version beyond 1.2.3.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a high-severity deserialization flaw in a public-facing WordPress plugin, exploitable remotely by unauthenticated attackers without user interaction, directly enabling exploitation of public-facing applications.