What the vulnerability does
01Description
Deserialization of Untrusted Data vulnerability in CRM Perks Connector for Gravity Forms and Google Sheets wp-gravity-forms-spreadsheets allows Object Injection.This issue affects Connector for Gravity Forms and Google Sheets: from n/a through <= 1.2.6.
Explanation of Vulnerability in Simple Terms
02Summary
The Connector for Gravity Forms and Google Sheets plugin contains a deserialization vulnerability that allows unauthenticated attackers to run arbitrary PHP code on the site. The vulnerability exists in versions 1.2.6 and earlier. No user interaction is required; an attacker can exploit this remotely over the network. Site administrators should update immediately.
What an attacker can do
03Attacker Capabilities
Run arbitrary PHP code on the site without authentication.
Potential impact on your site
04Site Impact
Complete compromise of the site, including data theft, malware installation, and site defacement.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
October 22, 2025
CVE published
April 28, 2026
Record updated