WordPress plugin Gravity Forms targeted in supply chain attack

The legitimate WordPress plugin Gravity Forms temporarily contained a backdoor after a supply chain attack discovered Friday.

Gravity Forms, created by Rocketgenius, enables advanced form creation on WordPress websites and is used on more than 5 million sites, according to its official website.

Last week, malicious code was found in a version of Gravity Forms manually downloaded from the plugin’s official website at gravityforms[.]com, Patchstack revealed in an article Friday. Rocketgenius CEO Carl Hancock told SC Media the attack only affected manual downloads and not automatic updates.

“The window for a user to download the version that was compromised was extremely short. It was not our API/Licensing/Deployment/Update server that was involved, as it is isolated on a separate hosting infrastructure,” Hancock said.

This malicious backdoor communicated with the typosquatted domain gravityapi[.]org, which has since been suspended by the domain registrar Namecheap.

A request would be sent to the malicious domain containing information about the WordPress instance, such as its URL, site name, WordPress Core version and PHP version, and the server would return a base64-encoded response that is written to wp-includes\/bookmark-canonical.php.

This code included functions that enabled the attacker to remotely perform eval() calls without authentication, achieving remote code execution (RCE).

Additional malicious code was found in the list_sections() function, which would enable the attacker to remotely trigger processes including user account creation and deletion, file uploads and execution of base64-encoded code via eval().

“[…] we are aware of how the compromise occurred, the issue was resolved and mitigated by our response team the day it occurred, and we have already reached out to the users that could have potentially been impacted. It is a very small number of people,” Hancock told SC Media.

While Hancock did not disclose exactly how the compromise occurred, Gravity Forms’ security incident notice stated an “external agent” made unauthorized modifications to the plugin code.

The issue would have affected those who manually downloaded Gravity Forms version 2.9.11.1 on July 9 or 10, 2025, via the Gravity Forms account downloads page, ran a composer install to install 2.9.11.1 on July 9 or 10, or manually installed version 2.9.12 on July 10, according to the notice.

Those who installed version 2.9.12 via an automatic update in the WordPress dashboard were not affected, and the latest version, 2.9.13 is also safe to install.

Gravity Forms said users can check for infection by visiting each of the following URLs, adjusted to include their own domain and wp-content folder location if it has been customized:

If an infected plugin was installed, visiting these URLs will return a message – “Warning: Undefined array key “gf_api_action” in” – followed by a reference to the user’s wp-content folder.  

Affected users should restore their WordPress site to a previous backup state from before July 9, 2025, to ensure the malware and any potential injections are fully removed, according to Gravity Forms. It is also recommended that affected users block access to the gravityapi[.]org domain and malicious IP addresses listed in the Gravity Forms notice and Patchstack article.

A security audit of recently added users, admin-level users, installed plugins and other logs is also recommended. Users who want to remove a potentially infected plugin should not perform an uninstall but instead deactivate, delete and replace the plugin using the instructions provided in Gravity Forms’ notice, the company said.

This supply chain attack targeting Gravity Forms comes after another WordPress plugin, Groundhogg, was compromised late last month. In a notice published June 30, 2025, Groundhogg Founder Adrian Tobey explained that versions of Groundhogg hosted directly on the Groundhogg[.]io website were infected while those hosted on Groundhogg’s GitHub repos remained safe.