Millions at Risk as Gravity Forms WordPress Plugin Gets Backdoored

Patchstack has identified a critical supply chain attack targeting Gravity Forms, one of WordPress’s most widely used premium plugins. Ironically, this plug-in is installed on over a million sites.

The attack injected malware into manual download packages of versions 2.9.11.1 and 2.9.12 between July 9 and 10, 2025. However, users who updated through the plugin’s auto-update system were not affected.

Malicious code was embedded into the plugin’s file gravityforms/common.php. When installed, it contacted a rogue domain, gravityapi.org, sending sensitive site and server information before enabling remote code execution. The backdoor allowed the attackers to upload arbitrary files, list or delete user accounts, browse directories, and inject backdoor admin accounts and remote code.

Despite the attackers’ efforts, RocketGenius, the plugin’s publisher, responded immediately. They removed the compromised packages and rolled out version 2.9.13.  This new patch secures download credentials, and terminates the malware’s command server domain.

Users were alerted to the threat and urged to reinstall safe versions and audit their sites for unusual activity. Sites that installed the vulnerable versions manually or via Composer should test specific URL paths on their site (like /wp-content/plugins/gravityforms/notification.php?action=ping) to detect infection.

Users are advised if errors occur, update your backup, remove and replace the Gravity Forms plugin with a clean copy of version 2.9.13, restore from backups made before July 9, audit admin accounts, and firewall any connections to gravityapi.org or flagged IP addresses.

WordPress plugins have had a long history of malware infections. Which means that even downloads from official sources can be hijacked if installers aren’t secured.