- The RocketGenius website served a malicious variant of the Gravity Forms WordPress add-on for two days
- The variant harvested extensive information and allowed for RCE
- The malware affected only manual downloads and composer installations
Gravity Forms, a popular WordPress add-on with at least a million users, was victim of a supply chain attack in which threat actors tried to deploy malware to its users and take over their websites.
Security researchers from PatchStack discovered someone managed to infiltrate Gravity Forms’ website, and compromise the plug-in installation file hosted there.
On July 10 and 11, users could download Gravity Forms versions 2.9.11.1 and 2.9.12, which came with malicious files that collected extensive site metadata, and malware that allowed for remote code execution (RCE) attacks.
Risky manual downloads
The malware also blocked any attempts to update the add-on, contacted an external server to deploy additional payloads, and created an admin account that granted attackers full control over the compromised website.
Gravity Forms is a premium WordPress plugin enabling users to build different forms using a drag-and-drop interface. It integrates with a wide range of third-party services, making it popular for contact forms, surveys, payment forms, and more.
After being notified about the attack, RocketGenius, the company that develops Gravity Forms, investigated further, and determined that the malware affected only manual downloads and composer installations of the plugin.
“The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected,” RocketGenius explained.
Therefore, all users who downloaded Gravity Forms directly from RocketGenius’ website on either July 10 or 11, should delete the plug-in and reinstall it with a clean version. Furthermore, admins should analyze their websites for any signs of compromise.
The first clean version of the add-on is 2.9.13, which is now available for download.
Via BleepingComputer
