One of the most popular WordPress plugins, Gravity Forms, has been targeted by a supply chain attack. Attackers integrated a backdoor into the plugin that users manually downloaded from the official website.
One of the most popular WordPress plugins, Gravity Forms, has been targeted by a supply chain attack. Attackers integrated a backdoor into the plugin that users manually downloaded from the official website.
According to BleepingComputer, the incident affected Gravity Forms versions 2.9.11.1 and 2.9.12, which were available for manual download on July 10 and 11. The plugin has been received by thousands of users and is used on over 1 million sites, including Airbnb, Nike, ESPN, Google, Unicef, and Yale.
The first suspicious activity was detected by cybersecurity company Patchstack. After analysis, it became known that the gravityforms/common.php file, downloaded from the developer’s website, sends POST requests to the suspicious domain gravityapi.org/sites. This file extracts metadata about the site (URL, paths to the admin, active themes and plugins, PHP and WordPress versions), and then receives and stores malicious code in the form of wp-includes/bookmark-canonical.php.
The backdoor is disguised as WordPress content management tools. It allows remote code execution on the server even without authentication. It is enough to refer to the process_request function, which eventually calls eval () with the user’s input — this opens the way to full control over the site.
According to Patchstack, the hackers even created a new administrator account that gave them unlimited access to the infected sites. In addition, the malicious code blocked the plugin from automatically updating, making it impossible to fix the problem on your own.
The plugin developer, RocketGenius, confirmed the attack and published instructions for detecting the infection. According to them, the infection only affected copies that were uploaded manually or via composer — automatic updates via the Gravity API were not compromised.
Patchstack advises all administrators who downloaded Gravity Forms on July 10 or 11 to immediately reinstall the plugin from a clean version, and also check the site for malicious files and suspicious accounts.
This is not the first time supply chain attacks have occurred in the WordPress ecosystem, and given the popularity of the plugin, the incident could have serious consequences for thousands of websites around the world.
As we’ve also reported, researchers uncovered a massive malware distribution campaign involving Russian-affiliated hackers and commercial advertising platforms, targeting millions of users worldwide, compromised WordPress sites, and intrusive push notifications.
