WordPress Supply Chain Attack: Gravity Forms Plugin Backdoored Through Official Downloads

In a concerning development for WordPress site administrators, the Patchstack team has uncovered a targeted supply chain attack on the popular Gravity Forms plugin, following a similar breach affecting the Groundhogg plugin. This attack involved the injection of backdoor malware into plugin files downloaded directly from the official Gravity Forms website.

“We are still actively investigating to better understand the scale and impact, but as we have proof of infected websites and IOCs to keep an eye on, we’re sharing this information… so people could check if they have been affected,” wrote the Patchstack team.

The breach came to light on July 11, 2025, when a user reported suspicious HTTP traffic from a downloaded plugin file. The file, gravityforms/common.php, was found making a POST request to https://gravityapi.org/sites—a domain registered only three days earlier, on July 8, 2025.

Technical analysis revealed that the plugin was harvesting and exfiltrating WordPress environment data, including:

• Site URL and name
• Admin URL
• WordPress and PHP versions
• Active theme and plugins
• Server OS details and user count

This information was sent to the malicious domain and used to craft targeted payloads.

“At first sight, this seems to be a normal or legitimate domain. However, doing a quick check, we notice that this domain has only been registered since 8th July 2025,” the report states.

The malware response delivered by gravityapi.org included base64-encoded PHP code saved as wp-includes/bookmark-canonical.php—a disguised backdoor. This backdoor initiated a class called WP_Content_Manager, which could execute arbitrary code, manage media, manipulate content, and more.

“From all of the functions, it will perform an eval call with the user-supplied input, resulting in remote code execution on the server,” the report warns.

A second backdoor was found in includes/settings/class-settings.php, embedded via a function called list_sections(). This function allowed unauthenticated remote commands by validating a hardcoded token. It included capabilities such as:

• Creating admin accounts
• Executing arbitrary code
• Uploading files
• Listing and deleting users
• Scanning directories

These actions were triggered via requests to notification.php, often from malicious IPs like 193.160.101.6.

“The function will check if the supplied $secret_key… matches with [a hardcoded string]. Then, it can perform multiple processes…,” the report explains.

Patchstack shared a list of IOCs, including:

• Domains: gravityapi.org, gravityapi.io
• Files: gravityforms/common.php, class-settings.php, bookmark-canonical.php
• IPs: 185.193.89.19, 193.160.101.6

Patchstack emphasizes that only users who manually downloaded or installed via Composer appear to be affected, suggesting the breach was short-lived and targeted.

Related Posts:

• PHP Object Injection Flaw in WordPress Gravity Forms Plugin with 1 million active installations
• Critical Prototype Pollution Vulnerability in Mongoose
• Critical Mitel MiVoice Connect Security Vulnerabilities
• Breaking News: Widespread WordPress Plugin Compromise in Active Supply Chain Attack
• Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected