A sophisticated supply chain attack has compromised the official GravityForms WordPress plugin, allowing attackers to inject malicious code that enables remote code execution on affected websites.The attack, discovered on July 11, 2025, represents a significant security breach affecting one of WordPress’s most popular form-building plugins, with the malware being distributed directly through the official gravityforms.com domain. Key Takeaways 1. A sophisticated supply chain attack compromised GravityForms version 2.9.12, injecting malware via the official plugin distribution. 2. The malware enabled remote code execution, data exfiltration, and persistent backdoor access using functions like update_entry_detail() and list_sections(). 3. The malicious domain (gravityapi.org) was shut down, and the developer released a clean version (2.9.13) to stop further infections. 4. Users should update immediately and monitor for suspicious activity, especially unauthorized admin accounts or unusual PHP files.**GravityForms Plugin Hacked**——————————The security breach was first [identified](https://patchstack.com/articles/critical-malware-found-in-gravityforms-official-plugin-site/) by researchers at Patchstack, who received reports of suspicious HTTP requests to an unknown domain, gravityapi.org, originating from the GravityForms plugin.The malicious domain was registered on July 8, 2025, just days before the attack was discovered, suggesting a carefully orchestrated campaign.Initial investigations revealed that the compromised plugin version 2.9.12 contained malware that was being distributed through official channels, including manual downloads and composer installations.However, the attack appeared to have a limited window of opportunity, as RocketGenius, the developer of GravityForms, quickly responded to remove the malicious code from new downloads.The company confirmed they were conducting a thorough investigation into the breach, and by July 7, 2025, they had released version 2.9.13 to ensure users could safely update without the backdoor present.Additionally, domain registrar Namecheap suspended the gravityapi.org domain to prevent further exploitation.The malware operated through two primary vectors, both designed to provide attackers with comprehensive control over infected WordPress installations.The first method involved a malicious function called `update_entry_detail()` embedded in the plugin’s common.php file, which automatically executed whenever the plugin was active.This function collected extensive system information from infected sites, including [WordPress version](https://cybersecuritynews.com/critical-wordpress-plugin-vulnerability-2/), active plugins, user counts, and server details, then transmitted this data to the attacker-controlled domain.The response from the malicious server contained base64-encoded payloads that were automatically saved to the infected site’s file system, creating persistent backdoors.The second attack vector utilized a function called `list_sections()` that created a sophisticated backdoor system requiring a specific API token for access. This backdoor provided attackers with extensive capabilities:* Creating administrator accounts with full privileges.* Executing arbitrary PHP code through eval() functions.* Uploading malicious files to the server filesystem.* Listing and deleting existing user accounts.* Performing comprehensive directory traversals.* Maintaining persistent access even after discovery.The malware was particularly dangerous because it could execute arbitrary PHP code through eval() functions, essentially giving attackers complete control over infected websites.The backdoor also included functionality to create new administrator accounts, effectively ensuring persistent access even if the initial compromise was discovered.**Mitigations**—————While the full scope of the attack remains under investigation, preliminary assessments suggest the infection was not widespread, likely due to the short timeframe during which the malicious version was available.Major web hosting companies have begun scanning their servers for indicators of compromise, with results suggesting limited distribution.The attack highlights the critical vulnerabilities in software supply chains, where even trusted sources can be compromised.The sophisticated nature of the malware, with its multiple backdoors and comprehensive system access capabilities, demonstrates the advanced techniques employed by modern cybercriminals.Security firms have identified several indicators of compromise, including suspicious [IP addresses](https://cybersecuritynews.com/interpol-takes-down-22000-malicious-ip-addresses/) (185.193.89.19 and 193.160.101.6), malicious files (bookmark-canonical.php and block-caching.php), and the specific API token used by the backdoor system.Organizations using GravityForms are advised to immediately update to version 2.9.13 or later, conduct thorough security scans of their WordPress installations, and monitor for any unauthorized administrator accounts or suspicious file modifications.This incident underscores the importance of maintaining robust security monitoring and the need for enhanced supply chain security measures in the software development ecosystem.**Indicator of Compromises (IoCs):**————————————**Type** **Indicator / Detail** **Notes** IP Address 185.193.89.19 Potential malicious IP IP Address 193.160.101.6 Potential malicious IP Domain gravityapi.org Associated with compromise Domain gravityapi.io Associated with compromise File Path gravityforms/common.php Look for `gravityapi.org` and `update_entry_detail` function File Path includes/settings/class-settings.php Look for `list_sections` function File Path wp-includes/bookmark-canonical.php Suspicious file File Path wp-includes/block-caching.php Suspicious file Hash/String Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3 Possibly a file hash, malware signature, or unique identifierInvestigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions –> [**Try ANY.RUN now**](https://any.run/demo?utm_source=csn&utm_medium=article&utm_campaign=braodo_stealer&utm_content=demo_1&utm_term=250625)The post [WordPress GravityForms Plugin Hacked to Include Malicious Code](https://cybersecuritynews.com/wordpress-gravityforms-plugin-hacked/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 51 – Information
Blog: Cybersecurity News
Supply Chain Compromise: Compromise Software Supply Chain
Supply Chain Compromise
External Remote Services
Ingress Tool Transfer
Associated Indicators:
193.160.101.6
185.193.89.19
gravityapi.org