The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor.

Gravity Forms is a premium plugin for creating contact, payment, and other online forms. Based on statistic data from the vendor, the product is isntalled on around one million websites, some belonging to well-known organizations like Airbnb, Nike, ESPN, Unicef, Google, and Yale.

Remote code execution on the server

WordPress security firm PatchStack says it received a report earlier today about suspicious requests generated by plugins downloaded from the Gravity Forms website.

After examining the plugin, PatchStack confirmed that it received a malicious file (gravityforms/common.php) downloaded from the vendor’s website. Closer examination revealed that the file initiated a POST request to a suspicious domain at “gravityapi.org/sites.”

Upon further analysis, the researchers found that the plugin collected extensive site metadata, including URL, admin path, theme, plugins, and PHP/WordPress versions, and exfiltrates it to the attackers.

The server response includes base64-encoded PHP malware, which is saved as “wp-includes/bookmark-canonical.php.”

The malware masquerades as WordPress Content Management Tools that enables remote code execution without the need to authenticate using functions like ‘handle_posts(),’ ‘handle_media(),’ ‘handle_widgets().’

“All of those functions can be called from __construct -> init_content_management -> handle_requests -> process_request function. So, it basically can be triggered by an unauthenticated user,” Patchstack explains.

“From all of the functions, it will perform an eval call with the user-supplied input, resulting in remote code execution on the server,” the researchers said.

RocketGenius, the developer behind Gravity Forms, was informed of the issue, and a staff member told Patchstack that the malware affected only manual downloads and composer installation of the plugin.

Patchstack recommends that anyone who downloaded Gravity Forms starting yesterday reinstall the plugin by getting a clean version. Admins should also scan their websites for any signs of infection.

According to Patchstack, the domains facilitating this operation were registered on July 8.

Hackers add admin account

RocketGenius has published a post-mortem of the incident confirming that only Gravity Forms 2.9.11.1 and 2.9.12 available for manual download between July 10 and 11 were compromised.

If admins ran a composer install for version 2.9.11 on any of the two dates, they received an infected copy of the product.

“The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected” – RocketGenius

RocketGenius says that the malicious code blocked update attempts, contacted an external server to fetch additional payloads, and added an admin account that gave the attacker complete control of the website.

The developer also provides methods for administrators to check for possible infection by following specific links on their websites.