Gravity Forms, a legitimate WordPress plugin, was recently discovered to contain a backdoor following a supply chain attack. Created by Rocketgenius, Gravity Forms allows the creation of professional forms on WordPress websites and is used on over 5 million websites, according to the company's official website.

Incident Timeline and Scope

• Date of Discovery: July 11, 2025, security experts from Patchstack announced the discovery of malware and a backdoor in the Gravity Forms plugin for WordPress.

• Scope of Impact: Only Gravity Forms versions 2.9.11.1 and 2.9.12 downloaded manually from gravityforms[.]com around July 9-10, 2025, are affected.

• Method of Intrusion: The attacker illegally tampered with the manual download packages. The automatic update system and API of Gravity Forms were not compromised.

Characteristics and Behavior of the Malware

• The malware communicates with the fake domain gravityapi[.]org (now disabled).

• Once infected, the malware sends website information (URL, site name, WordPress Core version, PHP) to a malicious server, then downloads a payload in base64 format and saves it to wp-includes/bookmark-canonical.php.

• This payload allows the attacker to execute unauthorized eval() commands (remote code execution - RCE), which can:

  • Create or delete user accounts.

  • Upload malicious files.

  • Execute arbitrary code.

How to Check and Respond if Affected

Checking for Malware Infection

Users can access one of the following URLs (replace {your_domain} with the actual domain name):

• {your_domain}/wp-content/plugins/gravityforms/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

• {your_domain}/wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

• {your_domain}/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

If the response is:

• Warning: Undefined array key “gf_api_action” in...

it means the website is infected with malware.

IOCs Related to This Campaign

URL

gravityapi[.]org

IP

Recommendations

FPT Threat Intelligence recommends several measures for organizations and individuals to prevent risks from supply chain attacks targeting WordPress plugins, such as the Gravity Forms incident:

• From Gravity Forms:

  • Change all server authentication information.

  • Change passwords for all admin accounts.

  • Notify domain registrars and hosting providers to handle malicious domains and IPs.

  • Collaborate with organizations to report CVEs.

• For users:

  • Restore the website to a safe state from a backup before July 9, 2025.

  • If no backup is available, perform the following:

    • Disable and delete the infected plugin (2.9.11.1 or 2.9.12).

    • Download and install a clean version (2.9.13 or later).

  • Block the following malicious domains and IPs at the firewall or security plugin.

  • Conduct a comprehensive check:

    • Review admin accounts, plugins, and system logs.

    • Remove unusual accounts and change admin passwords.

References

• WordPress plugin Gravity Forms targeted in supply chain attack

• SECURITY INCIDENT NOTICE: Gravity Forms 2.9.11.1, 2.9.12 Malware Compromise Notice