A sophisticated supply chain attack has compromised the popular WordPress plugin Gravity Forms, affecting approximately one million websites including high-profile platforms operated by Airbnb, Nike, ESPN, Unicef, and Google. This premium form-building plugin fell victim to malicious code injection that infiltrated official installer packages, creating a significant security breach across the WordPress ecosystem.
Initial Discovery and Technical Analysis
Security researchers at PatchStack were the first to identify suspicious activity after receiving reports of unusual network requests originating from freshly downloaded Gravity Forms installations. Their investigation revealed the presence of a malicious file located at gravityforms/common.php, which initiated unauthorized POST requests to the suspicious domain gravityapi[.]org/sites.
The compromised plugin engaged in extensive data harvesting operations, systematically collecting sensitive metadata from infected websites. This included URL structures, administrative panel paths, active theme information, installed plugin inventories, and PHP/WordPress version details. All collected intelligence was transmitted to attacker-controlled servers through encrypted communication channels, ensuring covert data exfiltration.
Backdoor Implementation and Payload Delivery
The malware’s command-and-control infrastructure responded to initial data transmissions by delivering base64-encoded PHP payloads. These malicious scripts were automatically stored as wp-includes/bookmark-canonical.php, cleverly disguised as legitimate WordPress Content Management Tools to avoid detection by routine security scans.
The deployed backdoor incorporated specialized functions including handle_posts(), handle_media(), and handle_widgets() that granted attackers comprehensive administrative control over compromised websites. The malware demonstrated advanced persistence techniques by blocking plugin update attempts and creating hidden administrator accounts, ensuring continued access even after potential discovery.
Attack Timeline and Affected Versions
RocketGenius, the developer behind Gravity Forms, confirmed that the security breach exclusively affected versions 2.9.11.1 and 2.9.12 available for manual download between July 10-11, 2025. Users who installed version 2.9.11 through Composer package manager during this timeframe also received infected copies of the plugin.
Importantly, the Gravity API service responsible for licensing, automatic updates, and add-on installations remained secure throughout the incident. This meant that websites relying on automated update mechanisms were protected from the malicious payload distribution.
Remediation Steps and Security Recommendations
Cybersecurity experts strongly advise all administrators who downloaded Gravity Forms during the specified period to immediately reinstall the plugin using a clean version from the official website. Organizations should conduct comprehensive security audits to identify potential compromise indicators across their web infrastructure.
Critical remediation actions include searching for the bookmark-canonical.php file within the wp-includes/ directory, reviewing user accounts for unauthorized administrator profiles, and analyzing server logs for unusual network activity patterns. Additionally, implementing file integrity monitoring and regular security scanning can help detect similar threats in the future.
This incident underscores the evolving threat landscape where even trusted software vendors can become vectors for sophisticated attacks. Supply chain compromises represent a growing concern for organizations worldwide, highlighting the necessity for robust security protocols, continuous monitoring, and rapid incident response capabilities. Website administrators must maintain heightened vigilance when installing or updating software components, regardless of their perceived trustworthiness or reputation within the development community.
