The popular WordPress plugin Gravity Forms has been compromised in a supply-chain attack. For a brief window in July 2025, attackers managed to infect the manual installer packages available for download from the official Gravity Forms website with a backdoor. This incident did not affect automatic updates or installations performed through the built-in plugin updater, only manual downloads and composer installations.
Scope and Impact
- Affected Versions: Gravity Forms versions 2.9.11.1 and 2.9.12 downloaded manually between July 10 and July 11, 2025.
- Attack Vector: The infection was present only in packages downloaded manually or via composer, not through the plugin’s automatic update mechanism.
- Victims: The plugin is used by over a million websites, including high-profile organizations such as Airbnb, Nike, ESPN, Unicef, Google, and Yale.
Technical Details
- Malicious Payload: The compromised package included a modified
common.phpfile, which made suspicious HTTP POST requests to the domaingravityapi.org. - Data Exfiltration: The malware collected extensive site metadata (such as URL, admin path, theme, plugins, and PHP/WordPress versions) and sent it to the attacker’s server.
- Remote Code Execution: The attacker’s server responded with base64-encoded PHP malware, saved as
wp-includes/bookmark-canonical.php. This backdoor allowed unauthenticated remote code execution, giving attackers full control over the affected website. - Persistence: The malware also blocked update attempts and could create a new admin account for persistent access.
Response and Mitigation
- Immediate Actions: Gravity Forms’ developer, RocketGenius, was notified and responded by releasing a clean version (2.9.13) and removing the malicious code from downloads.
- Domain Takedown: The malicious domain
gravityapi.orgused for command-and-control was suspended to prevent further exploitation. - Advice for Users:
- If you manually downloaded Gravity Forms between July 10–11, 2025, immediately reinstall a clean version from the official site.
- Scan your site for the presence of suspicious files (
wp-includes/bookmark-canonical.php) and unexpected admin accounts. - Follow the official incident notice and remediation steps provided by Gravity Forms.
