Introduction
On July 10–11, 2025, attackers compromised Gravity Forms’ official distribution channel, injecting malicious code into a core file within the plugin. The breach was quickly detected by security researchers after reports of unusual outbound network traffic from sites running freshly downloaded copies of Gravity Forms. This incident is one of the latest and most significant examples of a software supply-chain attack targeting WordPress ecosystems.
What Happened
Gravity Forms, a widely used premium WordPress plugin for building forms, became the victim of a supply-chain compromise when attackers modified the plugin’s installer. The altered file, common.php located in the plugin’s gravityforms/ directory, contained code that initiated unauthorized HTTP POST requests to a suspicious domain, gravityapi.org. Researchers at PatchStack and other security firms identified this behavior shortly after the malicious version was distributed, which led to rapid public disclosure and removal of the compromised installer from official sources. [1]
Why It Matters: The Supply-Chain Threat
This incident exemplifies a critical risk: supply-chain attacks can insert malicious code into otherwise trusted software, potentially impacting thousands or millions of systems. Gravity Forms is installed on over one million WordPress websites, including those operated by prominent organizations such as Airbnb, Nike, ESPN, Google, UNICEF, and Yale University. [2] A compromised plugin of this scale represents a significant risk for remote code execution, data theft, or further compromise of connected systems.
Supply-chain attacks have been increasing in frequency, as they offer attackers high leverage by compromising one vendor to impact many downstream victims. In this case, attackers effectively used Gravity Forms’ legitimate distribution platform as their delivery mechanism, which made it more likely that site owners would unknowingly install the tainted plugin.
Technical Indicators and Impact
Attack Vector
- Compromised installer downloaded from the Gravity Forms website.
- Time window of malicious distribution was approximately July 10–11, 2025.
- Malicious code issued HTTP POST requests to gravityapi.org/sites, potentially exfiltrating metadata or other sensitive data.
File Integrity Concerns
- The modified file was identified as gravityforms/common.php. Organizations are advised to check this file for unauthorized modifications and compare it with a clean version from the official plugin package.
Potential Consequences
- Remote Code Execution (RCE) on compromised WordPress installations.
- Data exfiltration via outbound HTTP requests.
- Further supply-chain impact if attackers leveraged access to pivot into other systems.
What Has Been Done
Gravity Forms’ team responded quickly, removing the compromised installer and replacing it with clean versions. Security researchers publicly disclosed the incident, which accelerated awareness and encouraged website owners to check their installations. [3]
Gravity Forms issued guidance for users to:
- Download a fresh copy of the plugin directly from their secured official portal.
- Reinstall Gravity Forms if it was downloaded or updated during the compromise window.
- Inspect logs for outbound POST requests to gravityapi.org.
- Review server files for unauthorized changes.
Organizations affected during the attack window are advised to perform thorough incident response activities, including credential rotation and deeper forensic review of their web environments.
Indicators of Compromise (IOCs)
Key indicators associated with this breach include:
| Type | Value | Description |
|---|---|---|
| Domain | gravityapi.org | Command-and-control domain used by the attackers. |
| URL Path | POST /sites | Endpoint where data was sent. |
| File Path | gravityforms/common.php | File modified to include backdoor code. |
| Behavioral IOC | Outbound POST traffic to gravityapi.org | Indicator of possible infection. |
Administrators should search web server logs for outbound connections to gravityapi.org and verify file integrity for all Gravity Forms plugin files.
Remediation Steps
If you downloaded or updated Gravity Forms between July 10 and July 11, 2025:
- Re-download the plugin from Gravity Forms’ official website and reinstall it.
- Compare the common.php file against the official version to check for unauthorized code.
- Inspect logs for any HTTP POST requests targeting gravityapi.org.
- Rotate credentials and API keys if compromise is suspected.
- Conduct a thorough forensic analysis to determine any additional lateral movement or malicious activity.
To reduce supply-chain risks in the future:
- Maintain strict controls over software updates and plugins.
- Use egress filtering to restrict outbound network connections to trusted domains.
- Employ file integrity monitoring tools to detect unauthorized changes in critical files.
- Subscribe to trusted security advisories for early warnings of compromised plugins or supply-chain attacks.
Conclusion
The Gravity Forms supply-chain attack underscores a critical truth in modern cybersecurity: even trusted vendors can become vectors for compromise. The short window of distribution minimized widespread damage, but the incident still placed countless websites at risk. Website owners and administrators should act swiftly to confirm the integrity of their Gravity Forms installations and apply rigorous monitoring and security controls to defend against future supply-chain threats.
Footnotes
- Lawrence Abrams, “WordPress Gravity Forms Developer Hacked to Push Backdoored Plugins,” Bleeping Computer, July 11, 2025, https://www.bleepingcomputer.com/news/security/wordpress-gravity-forms-developer-hacked-to-push-backdoored-plugins/.
- Ibid.
- Oliver Sild, post on X (formerly Twitter), July 11, 2025, https://x.com/OliverSild/status/1943645543839781236.
