Supply Chain Breach in Gravity Forms Plugin Reveals Malware Injection Risk

Update (July 11, 2025): Gravity Forms version 2.9.13 has been released as of this writing. Terminus Agency strongly recommends that all users update to the latest version immediately to ensure their sites are protected from the recently discovered supply chain compromise detailed below. Terminus Agency clients on our WordPress Hosting & Maintenance plans do not need to take any action as this has already been handled for them.

Supply Chain Breach in Gravity Forms Plugin Reveals Malware Injection Risk

On July 11, 2025, a serious supply chain compromise was uncovered in the widely used Gravity Forms WordPress plugin. Security researchers confirmed that versions 2.9.11.1 and 2.9.12 of the plugin, available for manual download through specific channels, had been tampered with. This breach enabled attackers to inject malicious code into plugin files, granting remote access to infected websites.

What Happened

For a limited time, two Gravity Forms core plugin packages offered for manual download were compromised by an external agent. This unauthorized actor inserted malicious code designed to provide backdoor access to affected sites.

These modifications aimed to prevent updates, communicate with an external server (gravityapi.org), and ultimately create a new administrator account on the site, paving the way for further attacks including remote code execution and data exfiltration.

Affected Versions and Conditions

Only users who downloaded Gravity Forms under very specific conditions were at risk. Specifically:

  • Manual download of version 2.9.11.1 on July 9 or 10, 2025
  • Manual download of version 2.9.12 on July 10, 2025
  • Installation of version 2.9.11.1 via Composer on those same dates

Auto-updated installations or downloads performed on other dates were not affected. Additionally, Gravity Forms’ API service (used for licensing, auto-updates, and plugin installations initiated within the WordPress dashboard) was never compromised.

Malware Behavior

If installed, the malicious code would:

  • Prevent the plugin from being updated
  • Contact a remote domain (gravityapi.org) to retrieve additional code
  • Write and execute a new file containing malicious functions
  • Attempt to create a new administrator account

This payload could allow attackers to inject further code, delete users, read directories, and compromise other WordPress core features.

Confirming Infection

If you downloaded and installed Gravity Forms under the affected conditions, you can verify whether your site is infected by visiting the following URLs (adjust as needed if your wp-content folder is renamed):

{your_domain}/wp-content/plugins/gravityforms/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

{your_domain}/wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

{your_domain}/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

If any of these URLs return an error message referencing an undefined array key for gf_api_action, your site is likely compromised.

Remediation Steps

If your site is infected:

Best practice: Restore a complete site backup taken before July 9, 2025.

If that is not possible:

  1. Deactivate and delete any version 2.9.11.1 or 2.9.12 plugin (do not use the Uninstall option).
  2. Download Gravity Forms 2.9.13 or higher from your account at gravityforms.com.
  3. Reinstall and activate the clean version.

Block communication with the malware’s infrastructure:

  • Domain: gravityapi.org
  • IPs: 185.243.113.108, 185.193.89.19, 24.245.59.0, 194.87.63.219

Audit your site:

  • Review all admin-level users
  • Reset passwords and check for suspicious accounts
  • Use malware detection tools like Wordfence, Patchstack, or SolidWP
  • Check logs for suspicious activity
  • Follow recommendations from WordPress.org’s security guide

Gravity Forms Response

Rocketgenius, the developer of Gravity Forms, responded quickly to this breach:

  • Cleaned and re-released version 2.9.13
  • Rotated all credentials and keys used in distribution infrastructure
  • Performed a full administrative audit
  • Notified CVE authorities and coordinated takedowns of malicious infrastructure
  • Confirmed that all current downloads on gravityforms.com are secure

They continue to work with affected customers and can be contacted at security@rocketgenius.com or through support.

A Word on Supply Chain Security

This breach underscores a larger issue in WordPress plugin development: supply chain security. Even when users take every precaution, compromised infrastructure or insufficient account protections upstream can result in dangerous plugin builds.

One common vulnerability is the lack of two-factor authentication (2FA) on developer accounts. If a malicious actor gains access to a plugin author’s GitHub, Composer registry, or deployment server, they can inject malware directly into the release pipeline—as likely happened here.

As agencies and developers, it’s critical to enforce 2FA and secure every stage of the build and distribution process. Tools like code signing, hash validation, and tighter CI/CD security should become standard practice.

Final Recommendations

  • If you installed a plugin version under the conditions described, follow the steps above immediately.
  • Confirm you’re now running 2.9.13 or higher.
  • Use this incident as an opportunity to reassess your security posture—both in your WordPress installs and in your development workflows.

Terminus Agency will continue to monitor the situation and assist any clients affected by this breach.