Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection

Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain.

The breach was first reported on July 11, 2025, when security researchers noticed suspicious HTTP requests to the domain gravityapi.org, which was registered just days earlier on July 8, 2025.

This domain, now suspended by registrar Namecheap, served as a command-and-control server for the malware.

Attack Details

The compromised plugin, specifically version 2.9.12, included backdoors that exfiltrated sensitive site data such as URLs, WordPress versions, PHP details, active plugins, and user counts, sending them via POST requests to the malicious endpoint.

Upon receiving a response, the code would decode and write a backdoored file, like wp-includes/bookmark-canonical.php, to the server, masquerading as legitimate WordPress content management tools.

This file contained remote code execution capabilities through eval functions triggered by unauthenticated requests, allowing attackers to manipulate posts, media, widgets, and themes with devastating effects.

The malware’s ingenuity lies in its integration with Gravity Forms’ core functions. For instance, the update_entry_detail function in gravityforms/common.php is hooked into the plugins_loaded action, ensuring it runs whenever the plugin is active.

It collects comprehensive site intelligence and, based on the server’s response, deploys additional payloads.

Another vector, the list_sections function in includes/settings/class-settings.php, accessible via notification.php, requires a specific gf_api_token (Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3) and enables actions like creating admin users, executing arbitrary code via base64-decoded formulas, uploading files, listing or deleting users, and even browsing server directories.

This multifunctional backdoor turns infected sites into fully controllable assets for attackers.

Interestingly, the infection appears limited, as scans by major hosting providers indicate it wasn’t widespread, likely due to the brief availability of the tainted downloads only affecting manual and Composer installations, according to RocketGenius staff.

Mitigation Efforts

Swift action followed the discovery. By July 11, 2025, at 12:07 UTC, Gravity Forms confirmed an investigation into the malware breach, removing the malicious code from subsequent downloads.

Updates continued rapidly: at 12:38 UTC, Patchstack obtained vulnerable and patched versions, confirming the issue was isolated. By 14:10 UTC, version 2.9.13 was released as a safe update, and gravityapi.org was taken offline to prevent further exploitation.

This incident echoes a similar attack on the Groundhogg plugin, highlighting a pattern of targeted supply chain compromises in the WordPress ecosystem.

According to the Report, Security teams like Patchstack have been monitoring these threats, emphasizing the need for vigilance in plugin management.

For site owners, immediate steps are crucial: check for the presence of suspicious files or functions, update to 2.9.13, and scan for indicators like unexpected requests from IP addresses such as 193.160.101.6, which spoofed user agents to ping backdoor endpoints across sites.

While the attack’s scope seems contained, it underscores the risks of third-party plugins and the importance of secure download practices.

Engaging with this evolving threat not only protects individual sites but strengthens the broader WordPress community against sophisticated cyber adversaries.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News. Follow us on Google News, LinkedIn, and X.