Gravity Forms Compromised

WordPress security experts at Patchstack have issued an advisory highlighting a supply chain attack that targets the popular Gravity Forms plugin.

This vulnerability is particularly serious as it could allow remote code execution on websites using affected versions of the plugin. Such attacks can put both site owners and visitors at significant risk.

In response to the discovery, the team behind Gravity Forms acted quickly and released an update designed to patch the security flaw. Website administrators are strongly advised to install the latest update as soon as possible to protect their sites from potential exploitation.

Supply chain attacks like this highlight the importance of regularly updating plugins and staying informed about security advisories, especially for widely used tools such as Gravity Forms.

Supply Chain Attack

Patchstack has been closely monitoring a troubling attack targeting a WordPress plugin, where cybercriminals managed to upload a tampered version of the plugin straight into the publisher’s own repository.

To make matters worse, the attackers also fetched additional malicious files from a domain name designed to look similar to the official one. This clever disguise made it harder for site owners to notice the threat in time.

As a result, websites that installed the compromised plugin unknowingly exposed themselves to serious security risks. Sensitive data could be leaked, and site functionality could be affected.

A comparable attack was also discovered targeting the popular Gravity Forms plugin. Fortunately, this issue was quickly identified and addressed by the plugin’s publisher.

In this case, attackers injected harmful code into the file located at gravityforms/common.php. Once installed, the compromised plugin began sending HTTP POST requests to a rogue domain, gravityapi.org, which had been registered only a few days before the attack.

By doing so, the plugin effectively sent detailed information about the affected sites and their servers directly to the attackers. This information included data that could be exploited for further malicious activity.

Most concerningly, the injected code enabled what’s known as remote code execution (RCE). In simple terms, this means attackers could run their own malicious scripts on any site using the infected plugin, all from a remote location.

Patchstack provided more insight into how extensive the vulnerability really was. The malicious code gave attackers several powerful capabilities that could be devastating if used.

Among these, the attackers could upload arbitrary files directly onto the server. This would let them add more malicious scripts or even deface the website’s content.

The attackers also gained the ability to list every user account on the affected WordPress site. This included critical details such as user IDs, usernames, email addresses, and display names.

Beyond gathering information, the attackers could delete any user accounts from the WordPress site altogether. This could lock site owners and editors out of their own websites or disrupt normal site operations.

The malicious code also allowed attackers to perform file and directory listings on the server itself. In practice, this means they could see what files were stored on the server, even in areas that should be restricted.

One particularly worrying detail is that attackers could access sensitive files like wp-config.php. This file contains the website’s database credentials, which could lead to an even deeper compromise if exposed.

Supply chain attacks like these show how vital it is to monitor plugins carefully, apply updates quickly, and only download plugins from trusted sources.

While the Gravity Forms team moved fast to patch the issue, the incident serves as a strong reminder of the need for ongoing vigilance when it comes to website security.

Gravity Forms Responds

The team at RocketGenius, who develop the popular Gravity Forms plugin, responded swiftly to the discovery of the security issue. They acted on the very same day by releasing a fixed version of the plugin to protect users from further risk.

At the same time, the domain name registrar Namecheap took decisive action by suspending the malicious typosquatted domain used by the attackers. This effectively stopped any compromised websites from being able to send data back to those responsible for the attack.

To further strengthen security, Gravity Forms has now made an updated version of the plugin available — version 2.9.13. Website owners are strongly advised to upgrade to the latest release as soon as possible to ensure their sites remain protected against this vulnerability.