Redazione RHC : 15 July 2025 09:04
The popular WordPress Gravity Forms plugin has suffered a supply chain attack, infecting its official website with a backdoor. Gravity Forms is a premium plugin for creating contact forms, payment forms, and other online forms. According to official statistics, it is installed on approximately one million websites, some of which belong to well-known organizations such as Airbnb, Nike, ESPN, UNICEF, and Google.
PatchStack specialists warn that they have received reports of suspicious requests generated by plugins downloaded from the official Gravity Forms website. After examining the plugin, researchers confirmed that a malicious file (gravityforms/common.php) had indeed been downloaded from the manufacturer’s website. Upon further analysis, it was revealed that this file initiated a POST request to a suspicious domain, gravityapi[.]org/sites.
As further analysis showed, the plugin collects a lot of metadata from sites, including URLs, admin path, theme, plugin, and PHP/WordPress version data. It then transmits all this collected data to the attackers. The attackers’ server responds with malicious base64-encoded PHP code, which is saved as wp-includes/bookmark-canonical.php. This malware masquerades as WordPress content management tools and allows remote code execution without authentication, using functions such as handle_posts(), handle_media(), and handle_widgets().
RocketGenius, the company that develops Gravity Forms, was notified of the issue, after which a representative told researchers that the malware had only penetrated the manual and Composer versions of the plugin. Experts recommend that anyone who downloaded Gravity Forms between July 10 and 11, 2025, reinstall the plugin by downloading a clean version. Additionally, administrators should monitor their sites for signs of infection.
RocketGenius representatives have already published an analysis of the incident, confirming that only Gravity Forms versions 2.9.11.1 and 2.9.12, available for manual download between July 10 and 11, 2025, were infected. It’s also reported that users who installed version 2.9.11 via Composer on any of the aforementioned dates also received an infected copy of the plugin.
“The Gravity API service, which handles licensing, automatic updates, and the installation of add-ons initiated by Gravity Forms, was not compromised. Package updates handled by this service were not affected by the attack,” the developers said.
According to the vendor, the malicious code blocked update attempts, contacted an external server to receive additional payload, and added an administrator account to the site, giving the attackers full control over the affected resource.
Redazione