A major supply-chain attack has compromised the popular Gravity Forms WordPress plugin, affecting manual downloads from the official website.
The infected versions contained a backdoor that allowed attackers to gain full control of websites.
Gravity Forms, a premium form builder used by over one million websites, is trusted by organizations like Google, Airbnb, Nike, and Yale. Security researchers at Patchstack discovered the malware after suspicious behavior was reported from affected sites.
The malicious file, common.php, sent sensitive site data—like admin paths, themes, plugins, and version info—to a remote domain (gravityapi.org). It then downloaded a second-stage payload disguised as a WordPress file: wp-includes/bookmark-canonical.php. This allowed remote code execution (RCE) without needing admin login.
The code added unauthorized admin accounts, blocked plugin updates, and let attackers run PHP commands on the server through unauthenticated requests.
The plugin’s developer, RocketGenius, confirmed that only versions 2.9.11.1 and 2.9.12 manually downloaded between July 10–11 were affected. Automatic updates and plugin installations through the official Gravity API remain secure.
RocketGenius recommends:
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
- Reinstalling the plugin with a clean version
- Scanning for malware or unknown admin accounts
- Following their official guide to check for infections
Patchstack noted that the attack domains were registered on July 8 and urged all affected site owners to act quickly to secure their websites.
