Warning: Supply Chain Attack Targets Gravity Forms Plugin on WordPress
Just a SOC Analyst ^^
Gravity Forms, a legitimate WordPress plugin, was recently discovered to contain a backdoor following a supply chain attack. Created by Rocketgenius, Gravity Forms allows the creation of professional forms on WordPress websites and is used on over 5 million websites, according to the company's official website.
Incident Timeline and Scope
Date of Discovery: July 11, 2025, security experts from Patchstack announced the discovery of malware and a backdoor in the Gravity Forms plugin for WordPress.
Scope of Impact: Only Gravity Forms versions 2.9.11.1 and 2.9.12 downloaded manually from gravityforms[.]com around July 9-10, 2025, are affected.
Method of Intrusion: The attacker illegally tampered with the manual download packages. The automatic update system and API of Gravity Forms were not compromised.
Characteristics and Behavior of the Malware
The malware communicates with the fake domain
gravityapi[.]org(now disabled).Once infected, the malware sends website information (URL, site name, WordPress Core version, PHP) to a malicious server, then downloads a payload in base64 format and saves it to
wp-includes/bookmark-canonical.php.This payload allows the attacker to execute unauthorized
eval()commands (remote code execution - RCE), which can:Create or delete user accounts.
Upload malicious files.
Execute arbitrary code.
How to Check and Respond if Affected
Checking for Malware Infection
Users can access one of the following URLs (replace {your_domain} with the actual domain name):
{your_domain}/wp-content/plugins/gravityforms/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping{your_domain}/wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping{your_domain}/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
If the response is:
Warning: Undefined array key “gf_api_action” in...
it means the website is infected with malware.
IOCs Related to This Campaign
URL
gravityapi[.]org |
IP
| 185.243.113[.]108 |
| 185.193.89[.]19 |
| 24.245.59[.]0 |
| 194.87.63[.]219 |
Recommendations
FPT Threat Intelligence recommends several measures for organizations and individuals to prevent risks from supply chain attacks targeting WordPress plugins, such as the Gravity Forms incident:
From Gravity Forms:
Change all server authentication information.
Change passwords for all admin accounts.
Notify domain registrars and hosting providers to handle malicious domains and IPs.
Collaborate with organizations to report CVEs.
For users:
Restore the website to a safe state from a backup before July 9, 2025.
If no backup is available, perform the following:
Disable and delete the infected plugin (2.9.11.1 or 2.9.12).
Download and install a clean version (2.9.13 or later).
Block the following malicious domains and IPs at the firewall or security plugin.
Conduct a comprehensive check:
Review admin accounts, plugins, and system logs.
Remove unusual accounts and change admin passwords.
