15 comments

[ 3.1 ms ] story [ 46.1 ms ] thread
Using a nonce before checking the form would have prevented much of the problems described. Or stated differently, it would suddenly require lots of manual labour.
I’m from a technical background and so I understand this but being a Brit sentences like this are always funny to me
Should say what plugin it is.
I really appreciate that this supply breach was discovered by a diligent system operator (tracking a slow HTTP request).

Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.

How is this even possible? Is the most likely explanation that a bad actor within GravityForms snuck something in?

I didn’t see anything in the article but I may have missed it.

Ten bucks says it's prompt hijacking an LLM being used to code and reference docs.
Nice work to identify this malware and take action against it spreading. The article does have one small error though that made me do a double-take.

The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.

(comment deleted)
Popped by AB of Ac1dB1tch3z
What does this impact? 90% of sites on the internet? Just a couple of low-traffic sites?
"The infection does not seem to be widespread, which could mean that the backdoored plugin was only available for a very short period of time and only delivered to a small number of users."
> We also received a confirmation from one of the staff of RocketGenius that the malware only affects manual downloads and composer installation of the plugin.

Phew.

The official Gravity Forms post [0] indicates you were only compromised if you installed Gravity Forms via direct website download or Composer install.

From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.

It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.

[0] https://www.gravityforms.com/blog/security-incident-notice/

Am I alone in thinking it's kind of nuts that there's a $259 extension for Web Forms in the first place. Is this WordPress being horribly broken, the WordPress ecosystem being a playground for grifters, naive non-technical WordPress users or all three?