The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor.
Gravity Forms is a premium plugin for creating contact, payment, and other online forms. Based on statistic data from the vendor, the product is isntalled on around one million websites, some belonging to well-known organizations like Airbnb, Nike, ESPN, Unicef, Google, and Yale.
Remote code execution on the server
WordPress security firm PatchStack says it received a report earlier today about suspicious requests generated by plugins downloaded from the Gravity Forms website.
After examining the plugin, PatchStack confirmed that it received a malicious file (gravityforms/common.php) downloaded from the vendor's website. Closer examination revealed that the file initiated a POST request to a suspicious domain at “gravityapi.org/sites.”
Upon further analysis, the researchers found that the plugin collected extensive site metadata, including URL, admin path, theme, plugins, and PHP/WordPress versions, and exfiltrates it to the attackers.
The server response includes base64-encoded PHP malware, which is saved as “wp-includes/bookmark-canonical.php.”
The malware masquerades as WordPress Content Management Tools that enables remote code execution without the need to authenticate using functions like ‘handle_posts(),’ ‘handle_media(),’ ‘handle_widgets().’
“All of those functions can be called from __construct -> init_content_management -> handle_requests -> process_request function. So, it basically can be triggered by an unauthenticated user,” Patchstack explains.
“From all of the functions, it will perform an eval call with the user-supplied input, resulting in remote code execution on the server,” the researchers said.
... continue reading