WordPress Plugin Gravity Forms Hacked – Backdoor Found in Official Installers
The popular WordPress plugin Gravity Forms has become the latest victim of a supply chain attack, with official installers from its website found to be infected with a dangerous backdoor.
Gravity Forms is a premium plugin used to build contact forms, payment forms, and a wide range of other user-input forms. According to official statistics, it's deployed on roughly 1 million websites, including those of major organizations such as Airbnb, Nike, ESPN, UNICEF, and Google.
Discovery and Exploitation
Security researchers at PatchStack first noticed suspicious network activity originating from plugins downloaded directly from Gravity Forms’ official website. Upon closer investigation, they confirmed that a malicious file—gravityforms/common.php—was being distributed through the vendor’s own download servers.
Further analysis revealed that the infected plugin was sending POST requests to a shady domain:gravityapi[.]org/sites, exfiltrating metadata such as:
- Website URLs
- Admin panel paths
- Theme and plugin details
- PHP and WordPress versions
This data was transmitted to an attacker-controlled server, which then responded with base64-encoded malicious PHP. That payload was saved locally as wp-includes/bookmark-canonical.php, a file masquerading as part of WordPress's content management tools. Once installed, the malware enabled unauthenticated remote code execution (RCE) via functions such as handle_posts(), handle_media(), and handle_widgets().
Developer Response & Mitigation
Upon notification, RocketGenius, the developer behind Gravity Forms, confirmed that the malware only impacted plugins that were:
- Manually downloaded or
- Installed via Composer
during the window of July 10–11, 2025.
Affected versions include:
- Gravity Forms 2.9.11.1 and 2.9.12 (manual downloads)
- Composer-installed version 2.9.11 during the same time frame
Crucially, RocketGenius assured users that the Gravity API service—used for licensing, automatic updates, and add-on installations—was not compromised. Users who updated the plugin automatically were not affected.
What the Malware Did
The backdoor was capable of:
- Blocking update attempts, preventing remediation
- Contacting remote servers to fetch additional malicious payloads
- Creating rogue admin accounts, granting attackers full site control
What You Should Do
If you downloaded or installed Gravity Forms manually between July 10–11, 2025, take the following steps immediately:
- Reinstall Gravity Forms from a clean, trusted source.
- Scan for signs of compromise, including:
- Suspicious admin accounts
- Files like
bookmark-canonical.php
- Monitor your site for any unusual activity.
RocketGenius has since published a detailed incident report and is working to strengthen its supply chain defenses.
Final Word
This incident underscores the growing threat of supply chain attacks—even well-established tools from trusted vendors are not immune. Stay vigilant, keep plugins updated automatically when possible, and always verify the source of your downloads.
