WordPress website administrators are being urged to take immediate action following the discovery of a sophisticated supply chain attack targeting the widely-used Gravity Forms plugin.
The attack surfaced after security researchers observed anomalous traffic involving the gf_api_token parameter, with malicious requests emanating from the IP address 193.160.101.6.
Attackers were found probing multiple websites for specific plugin endpoints, including legacy and current versions of Gravity Forms, such as /wp-content/plugins/gravityforms_2.9.12/notification.php.
Malicious Functionality
The malicious campaign was first detected on July 11, 2025, when a suspicious HTTP POST request to the previously unknown domain gravityapi.org was observed within a plugin copy downloaded from the official gravityforms.com site.
Subsequent analysis revealed the domain had only been registered a few days earlier, on July 8, suggesting the attack was both recent and targeted.
Crucially, the attackers injected PHP code into the gravityforms/common.php file, introducing a new update_entry_detail() function.
According to PatchStack Report, this function gathers detailed WordPress site admin data including URLs, plugin lists, user counts, and environment info and transmits it to the attacker-controlled domain.
The server’s response can instruct the infected plugin to write a new PHP file to the site, decoding a base64 blob into locations such as wp-includes/bookmark-canonical.php.
The code masquerades as legitimate “Content Management Tools” yet is capable of executing attacker-supplied code via unsafe eval() calls, giving remote attackers unfettered access to site content and functionality.
Backdoor in Notification Handler
Further investigation revealed a second malicious entry point through the includes/settings/class-settings.php file.
This file checks for a hardcoded API token and, upon validation, accepts various actions via the gf_api_action parameter.
These actions allow remote attackers to create admin accounts, upload arbitrary files, list or delete users, and execute base64-encoded PHP code all without further authentication.
The malicious logic is triggered through the plugin’s notification.php, which loads WordPress and directly invokes the backdoored functionality.
Within hours of the initial disclosure, Gravity Forms staff confirmed an ongoing investigation and released version 2.9.13 of the plugin, free from the backdoor.
Namecheap responded by suspending the attacker’s gravityapi.org domain to disrupt ongoing exploitation.
Security firms and large web hosting providers have since scanned for the supplied Indicators of Compromise (IOCs), though the infection appears contained, likely due to the short window during which the compromised plugin was distributed primarily via manual download or Composer installations rather than auto-updates.
Security teams are advised to scrutinize sites for IOCs, remove any files added by the malware, and immediately update to the sanitized Gravity Forms version.
Evidence so far indicates the threat was narrowly targeted but highly dangerous for any affected installations.
Indicators of Compromise (IOC)
| Indicator | Description |
|---|---|
| 185.193.89.19 | Known malicious IP address |
| 193.160.101.6 | IP observed scanning for backdoor |
| gravityapi.org | Attacker-controlled C2 domain |
| gravityapi.io | Related suspicious domain |
| gravityforms/common.php | Infected plugin file |
| includes/settings/class-settings.php | Malicious code injection point |
| notification.php | Backdoor trigger endpoint |
| wp-includes/bookmark-canonical.php | Malicious PHP file dropped on server |
| wp-includes/block-caching.php | Possible alternate dropped file |
| gf_api_token (hardcoded token value) | Backdoor authentication credential |
| update_entry_detail (PHP function) | Malicious function name to detect |
| list_sections (PHP function) | Backdoor control function |
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
