The popular WordPress plugin Gravity Forms recently suffered a compromise, as a likely result of a supply-chain attack. In this incident, attackers directly infected manual installers downloaded from the official website with a backdoor.
Gravity Forms serves as a premium plugin designed for creating contact, payment, and other online forms. According to statistical data provided by the vendor, around one million websites currently use the product. These include high-profile organizations such as Airbnb, Nike, ESPN, Unicef, Google, and Yale.
Remote code execution on the server
WordPress security firm PatchStack reports that it received a submission earlier today regarding suspicious requests generated by plugins downloaded directly from the Gravity Forms website.
After investigating the plugin, PatchStack confirmed that the vendor’s website served a malicious file located at gravityforms/common.php. Upon closer inspection, the team discovered that this file initiated a POST request to a suspicious domain: gravityapi.org/sites.
Furthermore, during a deeper analysis, researchers uncovered that the plugin gathered extensive site metadata—including the URL, admin path, active theme, installed plugins, and PHP/WordPress versions—and exfiltrated this information to the attackers.
In response, the attacker-controlled server returned base64-encoded PHP malware, which the plugin saved as wp-includes/bookmark-canonical.php.
This malware disguised itself as WordPress Content Management Tools and enabled remote code execution without requiring authentication. It leveraged functions such as handle_posts(), handle_media(), and handle_widgets().
According to PatchStack, “All of those functions can be called from
__construct -> init_content_management -> handle_requests -> process_request. So, it basically can be triggered by an unauthenticated user.”They added, “Among all the functions, one performs an
evalcall using user-supplied input, resulting in remote code execution on the server.”
Meanwhile, RocketGenius—the developer behind Gravity Forms—received a notification about the issue. A staff member confirmed to PatchStack that the malware only impacted manual downloads and Composer-based installations of the plugin.
As a precaution, PatchStack advises all users who downloaded Gravity Forms starting yesterday to reinstall the plugin using a clean version. In addition, administrators should scan their sites for any indicators of compromise.
Finally, PatchStack noted that the domains used in this operation were registered on July 8.
Hackers add admin account
RocketGenius has published a post-mortem of the incident, confirming that only Gravity Forms versions 2.9.11.1 and 2.9.12—available for manual download between July 10 and 11—contained the compromised code.
If administrators ran a Composer install for version 2.9.11 on either of those two dates, they downloaded an infected copy of the plugin.
RocketGenius clarifies, “The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service remain unaffected.”
Moreover, RocketGenius explains that the malicious code actively blocked update attempts, reached out to an external server to retrieve additional payloads, and created an admin account—giving the attacker full control over the affected website.
To assist with mitigation, the developer has also outlined steps administrators can follow to check their sites for signs of infection using specific links available on their websites.
Source: BleepingComputer, Bill Toulas
Read more at Impreza News
