Update 8-11-2025 06:00 UTC: We have observed some activity in regard to one of the backdoors that involves a gf_api_token parameter. The IP address 193.160.101.6 tries to request, for every site, the following URLs with a spoofed user agent:
/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping /wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping /wp-content/plugins/gravityforms/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
Update 7-11-2025 14:10 UTC: A version 2.9.13 has been released to ensure customers can safely update to a new version without a backdoor present. In addition, Namecheap (the domain registrar) has suspended the domain name gravityapi.org to avoid successful exploitation of the backdoor portion that connects to this domain name.
Update 7-11-2025 12:38 UTC: We received from our reporter both the copy of the vulnerable version and the patched version of the plugin. Technical details are updated in this article. We also received a confirmation from one of the staff of RocketGenius that the malware only affects manual downloads and composer installation of the plugin.
Update 7-11-2025 12:07 UTC: We received information from our reporter that GravityForm responded to his initial email and confirmed that they are doing an investigation for a malware breach on their product. The reporter claims that the initial malicious code was found in version 2.9.12 (which is the latest version of the plugin currently); however, the malicious code itself has now been removed from the code when users try to re-download the package. We also updated more IOCs in this article.
Update 7-11-2025 12:00 UTC: We've been in touch with multiple large web hosting companies who have scanned their servers for the IOCs. The infection does not seem to be widespread, which could mean that the backdoored plugin was only available for a very short period of time and only delivered to a small number of users.
The Patchstack team has been monitoring targeted supply chain attacks involving a vendor of a plugin or theme. At first, we noticed that Groundhogg was affected by this supply chain attack, and its plugins were compromised by malware that was injected. The full details can be viewed here.
Today, we received information about a possible targeted supply chain attack against Gravity Forms. We are still actively investigating to better understand the scale and impact, but as we have proof of infected websites and IOCs to keep an eye on, we're sharing this information in this post so people could check if they have been affected.
Initial Discovery
On the 11th of July, we received a report concerning that they found that one of the plugins that they are trying to download from the official gravityforms.com domain contains a suspicious HTTP request to the gravityapi.org domain. This suspicious HTTP request call was flagged by the reporter because they noticed that there is an extremely slow request to that domain per their monitoring system.
... continue reading