Vulnerabilities

Hackers Inject Malware Into Gravity Forms WordPress Plugin 

Two Gravity Forms WordPress plugin versions available on the official download page were injected with malware in a supply chain attack.

WordPress vulnerability exploited

Two trojanized versions of the Gravity Forms WordPress plugin were distributed through the official download page following a supply chain attack.

Gravity Forms is an easy-to-use WordPress forms builder that has over 1 million active installations. It offers a visual form editor, supports transaction management and workflow automation, and provides support for a broad range of form customizations.

The malicious activity related to Gravity Forms was flagged on July 11, after Patchstack received a report that the plugin made an HTTP request to a suspicious domain that was created on July 8.

The plugin was caught sending WordPress installation information in the request, and containing malicious functions that could be called by unauthenticated users to execute arbitrary code remotely on the server.

On the same day, Gravity Forms’ developer RocketGenius confirmed that malicious iterations of the plugin were listed on the official download page.

“For a limited time and only via specific methods, two Gravity Forms core plugin packages offered for manual download were compromised by an external agent who made unauthorized code modifications,” the developer said.

Advertisement. Scroll to continue reading.

According to RocketGenius, only Gravity Forms versions 2.9.11.1 and 2.9.12 available through the download page on July 9 and July 10 were infected, albeit users who ran a composer install and installed 2.9.11.1 during the timeframe also executed the malicious iteration.

The packages fetched via the auto-update mechanism were not malicious, nor was the Gravity API service that handles automatic updates, licensing, and installations compromised, the developer notes.

The malicious code in the compromised plugin versions, RocketGenius says, was designed to create an administrative account to the WordPress website, creating a backdoor and allowing attackers to access the site installation remotely, execute code, manipulate accounts, and steal data.

Version 2.9.13 of the plugin was released on July 11 to remove the malicious code and users are urged to update as soon as possible, especially if they manually downloaded a backdoored iteration on July 9 or July 10.

“All keys and credentials for all the services we use to store downloadable packages have been updated to close the possibility of unauthorized access. All administrative accounts have been audited and have had their passwords cycled,” RocketGenius notes.

Related: Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover

Related: Vulnerability in OttoKit WordPress Plugin Exploited in the Wild

Related: Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory

Related: Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

Related Content

Malware & Threats

The new macOS malware has targeted at least 100 users to steal their passwords and cryptocurrency. 

Endpoint Security

Bitdefender researchers show how Windows bind links can create conflicting filesystem views to hide malware from endpoint security products.

Malware & Threats

The backdoor’s destructive capabilities include a standalone wiper, ransomware encryption, and a multi-pass wiping command.

Malware & Threats

A Go module is used to load PowerShell code that fetches a resolver from public dead drops to execute Windows malware.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Malware & Threats

Turla has been using the backdoor against government and military organizations in Ukraine for espionage.

Cybercrime

Hundreds of C&C servers were disrupted in an operation involving law enforcement and several cybersecurity companies.

Malware & Threats

Mistic is used by Woodgnat, an initial access broker working with Qilin, Interlock, Rhysida, Akira, 8Base, and Black Basta.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version