A Gravity Forms supply chain attack has exposed users of the popular WordPress plugin to serious security threats.
Hackers managed to backdoor manual installation files downloaded from the official Gravity Forms website.
The affected plugin versions were 2.9.11.1 and 2.9.12, available briefly between July 10 and 11.
Millions of websites use Gravity Forms, a premium WordPress plugin for building contact forms, payments, and surveys. Major organizations like Airbnb, Nike, ESPN, UNICEF, Google, and Yale have installed it.
The malicious code, inserted by threat actors, allowed for remote code execution (RCE) on compromised servers.
Attackers used obfuscated PHP code and base64 encoding to deliver malware and create new admin accounts silently.
How the backdoor works
Security researchers at Patchstack first identified the suspicious behavior earlier this week.
They found that compromised plugins generated outbound requests and dropped PHP files disguised as core WordPress components.
The malware was saved as “wp-includes/bookmark-canonical.php”, pretending to be part of WordPress.
It enabled unauthenticated attackers to trigger code execution via functions like handle_posts() and handle_widgets().
The Gravity Forms supply chain attack relied on a constructor-based call chain to reach the backdoor code.
This gave hackers unauthorized control without requiring admin credentials.
Composer installs affected too
RocketGenius, the developer behind Gravity Forms, confirmed the breach.
They stated that only manual downloads and composer installs were compromised — automatic updates were unaffected.
The attacker’s code also blocked update checks, contacted external servers, and added a rogue admin account.
That gave the hacker full control over infected websites.
RocketGenius published a post-mortem with guidance on how to identify and remove the malware.
They recommend re-downloading a clean version and scanning affected systems for backdoors or unauthorized admin accounts.
Broader implications
The Gravity Forms supply chain attack highlights the danger of downloading plugins outside the official WordPress repository.
Even legitimate websites can unknowingly distribute malware during targeted compromises.
Security firms advise website admins to review downloads from July 10–11 and reinstall clean plugin versions immediately.
They also suggest locking down access and enabling file integrity monitoring.
0 responses to “Gravity Forms Supply Chain Attack Infects Plugin Downloads With Backdoor Malware”