RocketGenius, the developer behind Gravity Forms, was informed of the issue, and a staff member told Patchstack that the malware affected only manual downloads and composer installation of the plugin. The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor. WordPress security firm PatchStack says it received a report earlier today about suspicious requests generated by plugins downloaded from the Gravity Forms website. Patchstack recommends that anyone who downloaded Gravity Forms starting yesterday reinstall the plugin by getting a clean version. "The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. RocketGenius has published a post-mortem of the incident confirming that only Gravity Forms 2.9.11.1 and 2.9.12 available for manual download between July 10 and 11 were compromised. After examining the plugin, PatchStack confirmed that it received a malicious file (gravityforms/common.php) downloaded from the vendor's website. Gravity Forms is a premium plugin for creating contact, payment, and other online forms. RocketGenius says that the malicious code blocked update attempts, contacted an external servers to fetch additional payloads, and added an admin account that gave the attacker complete control of the website. Upon further analysis, the researchers found that the plugin collected extensive site metadata, including URL, admin path, theme, plugins, and PHP/WordPress versions, and exfiltrates it to the attackers. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Fri, 11 Jul 2025 19:30:14 +0000