WordPress developers and site owners using Gravity Forms must update immediately to version 2.9.13 following the discovery of critical malware in the popular form builder plugin.
Table of Contents
Executive Summary
Security researchers at Patchstack discovered malicious code injected into Gravity Forms plugin version 2.9.12 through a sophisticated supply chain attack. The compromised plugin automatically sent sensitive site information to attacker-controlled servers and enabled remote code execution on affected WordPress websites.
Key Details:
- Affected Plugin: Gravity Forms (version 2.9.12)
- Attack Type: Supply chain breach
- Vulnerability: Remote code execution (RCE)
- Fix Available: Version 2.9.13 released
- Domain Suspended: Malicious domain gravityapi.org disabled
What Happened: The Supply Chain Attack
On July 11, 2025, security researchers discovered that malicious code had been injected directly into the official Gravity Forms plugin available for download from gravityforms.com. This represents a serious supply chain attack where attackers compromised the plugin at its source.
Technical Analysis
The malware operated through two primary attack vectors:
1. Data Exfiltration via update_entry_detail Function The compromised plugin contained a malicious function called update_entry_detail that automatically sent detailed site information to https://gravityapi.org/sites, including site URL, WordPress version, active plugins, PHP version, and user count.
2. Remote Code Execution via list_sections Function A second malicious function allowed attackers to execute arbitrary code on infected websites using a secret key (Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3).
Attacker Capabilities
The malware enabled attackers to upload arbitrary files to servers, list and delete user accounts, and perform file and directory listings on WordPress servers. This level of access could allow complete website takeover.
Immediate Response Required
For Gravity Forms Users:
- Update immediately to version 2.9.13
- Check for suspicious files in wp-includes/ directory
- Review user accounts for unauthorized administrators
- Scan for malware using security plugins
- Change all passwords as a precaution
Security Indicators to Monitor:
- Presence of files: wp-includes/bookmark-canonical.php or wp-includes/block-caching.php
- Network requests to gravityapi.org or gravityapi.io domains
- Unusual functions: update_entry_detail or list_sections in Gravity Forms files
Industry Response and Mitigation
RocketGenius (Gravity Forms) Response
RocketGenius took immediate action and released version 2.9.13 on the same day the vulnerability was discovered. The company confirmed that the malware only affected manual downloads and composer installations, not automatic updates through WordPress admin.
Domain Registrar Action
Namecheap, the domain registrar, suspended the malicious domain gravityapi.org to prevent further exploitation.
Security Community Response
Multiple web hosting companies scanned their servers for infection indicators, with results suggesting the attack had limited reach due to the short exposure window.
Supply Chain Attack Trend
This incident follows a concerning pattern of supply chain attacks targeting WordPress plugins. Patchstack previously documented a similar attack against Groundhogg plugin, indicating a coordinated effort to compromise WordPress sites through trusted plugin sources.
Why Supply Chain Attacks Are Dangerous:
- High trust factor: Users expect official plugin downloads to be safe
- Wide distribution: Popular plugins can infect thousands of sites quickly
- Difficult detection: Malware appears to come from legitimate sources
Protection Strategies for WordPress Sites
Immediate Actions:
- Enable automatic updates for critical plugins
- Implement security monitoring with tools like Patchstack
- Regular malware scanning of all website files
- User account auditing for unauthorized access
Long-term Security Measures:
- Multi-factor authentication for all admin accounts
- Regular security audits of installed plugins
- Staging environment testing before production updates
- Backup and recovery planning for incident response
WordPress Security Best Practices
Following this incident, WordPress site owners should consider:
- Plugin source verification: Only download from official WordPress.org repository or verified vendors
- Update monitoring: Track plugin updates and security advisories
- Access controls: Limit admin privileges and regularly audit user accounts
- Network monitoring: Watch for unusual outbound connections
Conclusion
The Gravity Forms malware incident serves as a critical reminder that even trusted plugins can be compromised. The quick response from RocketGenius and the security community demonstrates the importance of vigilant monitoring and rapid incident response.
Immediate Action Required: All Gravity Forms users must update to version 2.9.13 immediately and perform security audits of their websites.
For WordPress developers and agencies managing multiple sites, this incident underscores the importance of implementing comprehensive security monitoring and update management processes.