A complicated provide chain assault has compromised the official GravityForms WordPress plugin, permitting attackers to inject malicious code that permits distant code execution on affected web sites.
The assault, found on July 11, 2025, represents a major safety breach affecting certainly one of WordPress’s hottest form-building plugins, with the malware being distributed straight by means of the official gravityforms.com area.
Key Takeaways1. A complicated provide chain assault compromised GravityForms model 2.9.12, injecting malware through the official plugin distribution.2. The malware enabled distant code execution, knowledge exfiltration, and chronic backdoor entry utilizing features like update_entry_detail() and list_sections().3. The malicious area (gravityapi.org) was shut down, and the developer launched a clear model (2.9.13) to cease additional infections.4. Customers ought to replace instantly and monitor for suspicious exercise, particularly unauthorized admin accounts or uncommon PHP information.
GravityForms Plugin Hacked
The safety breach was first recognized by researchers at Patchstack, who obtained studies of suspicious HTTP requests to an unknown area, gravityapi.org, originating from the GravityForms plugin.
The malicious area was registered on July 8, 2025, simply days earlier than the assault was found, suggesting a fastidiously orchestrated marketing campaign.
Preliminary investigations revealed that the compromised plugin model 2.9.12 contained malware that was being distributed by means of official channels, together with handbook downloads and composer installations.
Nevertheless, the assault appeared to have a restricted window of alternative, as RocketGenius, the developer of GravityForms, shortly responded to take away the malicious code from new downloads.
The corporate confirmed they have been conducting a radical investigation into the breach, and by July 7, 2025, they’d launched model 2.9.13 to make sure customers may safely replace with out the backdoor current.
Moreover, area registrar Namecheap suspended the gravityapi.org area to stop additional exploitation.
The malware operated by means of two main vectors, each designed to offer attackers with complete management over contaminated WordPress installations.
The primary technique concerned a malicious operate known as update_entry_detail() embedded within the plugin’s widespread.php file, which mechanically executed every time the plugin was lively.
This operate collected in depth system data from contaminated websites, together with WordPress model, lively plugins, consumer counts, and server particulars, then transmitted this knowledge to the attacker-controlled area.
The response from the malicious server contained base64-encoded payloads that have been mechanically saved to the contaminated website’s file system, creating persistent backdoors.
The second assault vector utilized a operate known as list_sections() that created a complicated backdoor system requiring a particular API token for entry. This backdoor offered attackers with in depth capabilities:
Creating administrator accounts with full privileges.
Executing arbitrary PHP code by means of eval() features.
Importing malicious information to the server filesystem.
Itemizing and deleting present consumer accounts.
Performing complete listing traversals.
Sustaining persistent entry even after discovery.
The malware was notably harmful as a result of it may execute arbitrary PHP code by means of eval() features, basically giving attackers full management over contaminated web sites.
The backdoor additionally included performance to create new administrator accounts, successfully guaranteeing persistent entry even when the preliminary compromise was found.
Mitigations
Whereas the complete scope of the assault stays beneath investigation, preliminary assessments recommend the an infection was not widespread, probably as a result of quick timeframe throughout which the malicious model was obtainable.
Main hosting firms have begun scanning their servers for indicators of compromise, with outcomes suggesting restricted distribution.
The assault highlights the essential vulnerabilities in software program provide chains, the place even trusted sources could be compromised.
The subtle nature of the malware, with its a number of backdoors and complete system entry capabilities, demonstrates the superior methods employed by fashionable cybercriminals.
Safety companies have recognized a number of indicators of compromise, together with suspicious IP addresses (185.193.89.19 and 193.160.101.6), malicious information (bookmark-canonical.php and block-caching.php), and the precise API token utilized by the backdoor system.
Organizations utilizing GravityForms are suggested to right away replace to model 2.9.13 or later, conduct thorough safety scans of their WordPress installations, and monitor for any unauthorized administrator accounts or suspicious file modifications.
This incident underscores the significance of sustaining sturdy safety monitoring and the necessity for enhanced provide chain safety measures within the software program growth ecosystem.
Indicator of Compromises (IoCs):
TypeIndicator / DetailNotesIP Address185.193.89.19Potential malicious IPIP Address193.160.101.6Potential malicious IPDomaingravityapi.orgAssociated with compromiseDomaingravityapi.ioAssociated with compromiseFile Pathgravityforms/widespread.phpLook for gravityapi.org and update_entry_detail functionFile Pathincludes/settings/class-settings.phpLook for list_sections functionFile Pathwp-includes/bookmark-canonical.phpSuspicious fileFile Pathwp-includes/block-caching.phpSuspicious fileHash/StringCx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3Possibly a file hash, malware signature, or distinctive identifier
Examine stay malware conduct, hint each step of an assault, and make quicker, smarter safety selections -> Attempt ANY.RUN now
