Using a nonce before checking the form would have prevented much of the problems described. Or stated differently, it would suddenly require lots of manual labour.
Nice work to identify this malware and take action against it spreading. The article does have one small error though that made me do a double-take.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
"The infection does not seem to be widespread, which could mean that the backdoored plugin was only available for a very short period of time and only delivered to a small number of users."
> We also received a confirmation from one of the staff of RocketGenius that the malware only affects manual downloads and composer installation of the plugin.
The official Gravity Forms post [0] indicates you were only compromised if you installed Gravity Forms via direct website download or Composer install.
From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.
It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.
Am I alone in thinking it's kind of nuts that there's a $259 extension for Web Forms in the first place. Is this WordPress being horribly broken, the WordPress ecosystem being a playground for grifters, naive non-technical WordPress users or all three?
15 comments
[ 3.1 ms ] story [ 46.1 ms ] threadSimilarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
I didn’t see anything in the article but I may have missed it.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
Phew.
From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.
It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.
[0] https://www.gravityforms.com/blog/security-incident-notice/