The developers of Gravity Forms, a widely used WordPress plugin with over 1 million active installations, have confirmed a supply-chain attack where attackers compromised their official website to distribute backdoored plugin installers. The incident, first reported on July 11, 2025, appears to have affected manual downloads from the Gravity Forms website for a limited period before detection1.
Attack Vector and Compromise Details
According to security researchers, the attackers gained access to Gravity Forms’ distribution infrastructure and modified installer packages to include malicious code. The backdoor allowed unauthorized remote code execution on affected WordPress installations. This marks a significant escalation in WordPress plugin security incidents, as it represents a rare case of a verified supply-chain compromise rather than a vulnerability in the plugin code itself2.
The compromised versions reportedly injected a web shell that blended with legitimate Gravity Forms functionality. Early analysis suggests the backdoor was designed to maintain persistence while avoiding detection by common security scanners. The attack specifically targeted manual downloads rather than automatic updates from WordPress repositories, indicating the attackers likely had limited access to the distribution pipeline3.
Security Vulnerabilities and Historical Context
This incident follows several security issues recently identified in Gravity Forms. In 2023, researchers discovered a PHP Object Injection vulnerability (CVE-2023-XXXX) that allowed unauthenticated attackers to execute arbitrary code. The plugin was also affected by a stored XSS vulnerability via the style_settings parameter (CVE-2024-13378) that enabled Chrome-specific cross-site scripting attacks4.
Historical security concerns with Gravity Forms include a 2012 incident where security scanners falsely flagged the plugin’s calculation functionality as malicious due to its use of eval(). The Gravity Forms team confirmed this was a false positive, but the current compromise represents a verified threat5.
Detection and Mitigation
The Gravity Forms team has released updated clean versions and recommends all users verify their installations. Key indicators of compromise include:
- Unexpected admin users in WordPress
- Unusual network connections from the WordPress installation
- Modified Gravity Forms core files
- New scheduled tasks or cron jobs
For confirmed compromises, the recommended recovery process includes restoring from a clean backup, scanning with security tools like Wordfence or Sucuri, and completely reinstalling WordPress core along with all plugins and themes6. All credentials including admin, FTP, and database access should be rotated as part of the remediation process.
Preventive Measures and Best Practices
To protect against similar supply-chain attacks, security professionals recommend several defensive measures:
First, implement strict file integrity monitoring to detect unauthorized changes to plugin files. Second, maintain offline backups of all critical website components. Third, consider using security plugins that offer malware scanning and web application firewalls. Finally, establish a formal patch management process that includes verification of file checksums against known good versions7.
The Gravity Forms team has emphasized that only downloads from their official website or WordPress.org should be considered trustworthy. They strongly advise against using nulled or pirated versions of the plugin, which frequently contain backdoors or malware8.
Conclusion
The Gravity Forms compromise highlights the growing risk of supply-chain attacks against widely used web components. While the immediate threat has been mitigated through updated releases, the incident serves as a reminder of the importance of robust software distribution security and verification processes. Organizations using Gravity Forms should immediately verify their installations and implement the recommended security controls to prevent similar incidents.
References
- “WordPress Gravity Forms developer hacked to push backdoored plugins,” BleepingComputer, 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/wordpress-plugin-gravity-forms-vulnerable-to-php-object-injection
- “Gravity Forms plugin found vulnerable to PHP object injection,” Bitdefender, 2023. [Online]. Available: https://www.bitdefender.com/en-us/blog/hotforsecurity/gravity-forms-wordpress-plugin-found-vulnerable-to-php-object-injection
- “GravityForms 2.9.0.1-2.9.1.3 unauthenticated stored cross-site scripting via style_settings parameter,” Wordfence, 2024. [Online]. Available: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gravityforms/gravityforms-2901-2913-unauthenticated-stored-cross-site-scripting-via-style-settings-parameter
- “Security vulnerability with Gravity Forms interaction in relation to login page,” WordPress Support Forum, 2025. [Online]. Available: https://wordpress.org/support/topic/security-vulnerability-with-gravity-forms-interaction-in-relation-to-login-page
- “Site hacked,” Gravity Forms Legacy Forum, 2012. [Online]. Available: https://legacy.forums.gravityhelp.com/topic/site-hacked
- “What to do if you suspect a security issue,” Gravity Forms Documentation. [Online]. Available: https://docs.gravityforms.com/what-to-do-if-you-suspect-a-security-issue
- “Top 10 WordPress security tips,” Gravity Forms Blog. [Online]. Available: https://www.gravityforms.com/blog/top-10-wordpress-security-tips
- “Gravity Forms nulled plugins,” GravityKit. [Online]. Available: https://www.gravitykit.com/gravity-forms-nulled-plugins
