The popular WordPress plugin Gravity Forms suffered from a supply chain attack. As a result, installers from the official website were infected with a backdoor.
Gravity Forms is a premium plugin for creating contact, payment, and other online forms. According to official statistics, it is installed on approximately one million sites, some of which belong to well-known organizations such as Airbnb, Nike, ESPN, Unicef, and Google.
Experts from PatchStack warn that they have received reports of suspicious requests being generated by plugins downloaded from the official Gravity Forms website.
Upon examining the plugin, researchers confirmed that a malicious file (gravityforms/common.php) is indeed being downloaded from the manufacturer’s website. Closer inspection revealed that this file initiates a POST request to a suspicious domain at gravityapi[.]org/sites.
Further analysis revealed that the plugin collects a wealth of metadata from sites, including the URL, path to the admin panel, as well as data about themes, plugins, and PHP/WordPress versions. All the collected data is transmitted to the attackers.
The server’s response from the hackers contains malicious PHP code encoded in base64, which is saved as wp-includes/bookmark-canonical.php. This malware disguises itself as WordPress Content Management Tools and allows remote code execution without the need for authentication by utilizing functions such as handle_posts(), handle_media(), handle_widgets().
RocketGenius, the company developing Gravity Forms, was notified of the issue, after which a representative informed researchers that the malware had infiltrated only the plugin versions installed manually and through Composer.
Experts recommend that anyone who downloaded Gravity Forms on July 10-11, 2025, reinstall the plugin by obtaining a clean version. Additionally, administrators need to check their sites for signs of infection.
The representatives from RocketGenius have already published an incident analysis, confirming that only versions 2.9.11.1 and 2.9.12 of Gravity Forms, available for manual download from July 10 to July 11, 2025, were compromised. It is also noted that if users installed version 2.9.11 via Composer on any of the mentioned dates, they also received an infected copy of the plugin.
“The Gravity API service, which handles licensing, automatic updates, and the installation of add-ons initiated by Gravity Forms, has not been compromised. The attack did not affect the package updates managed by this service,” the developers stated.
According to the developer, the malicious code blocked update attempts, connected to an external server to receive additional payloads, and added an administrator account to the site, giving attackers full control over the compromised resource.
2025.02.01 — Critical RCE vulnerability fixed in Cacti
A critical vulnerability has been discovered in the open-source Cacti framework: it enables an authenticated attacker to remotely execute arbitrary code. Vulnerability's ID is CVE-2025-22604; its…
Full article →
2025.01.22 — Fake Homebrew Infects macOS and Linux Machines with infostealer
Attackers use Google ads to disguise themselves as the Homebrew website and distribute malware targeting Mac and Linux systems and stealing logon credentials, browser data, and cryptocurrency wallets.…
Full article →
2025.01.28 — J-magic backdoor attacked Juniper Networks devices using 'magic packets'
A massive backdoor attack targeting Juniper routers often used as VPN gateways has been uncovered. The devices were attacked by the J-magic malware that…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.03.28 — Zero-day vulnerability in Windows results in NTLM hash leaks
Security experts reported a new zero-day vulnerability in Windows that enables remote attackers to steal NTLM credentials by tricking victims into viewing malicious files in Windows…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →