Hackers Compromise WordPress GravityForms Plugin with Malicious Code Injection

Hackers have targeted the popular WordPress plugin Gravity Forms, injecting malicious code into versions downloaded from the official gravityforms.com domain.

The breach was first reported on July 11, 2025, when security researchers noticed suspicious HTTP requests to the domain gravityapi.org, which was registered just days earlier on July 8, 2025.

This domain, now suspended by registrar Namecheap, served as a command-and-control server for the malware.

Attack Details

The compromised plugin, specifically version 2.9.12, included backdoors that exfiltrated sensitive site data such as URLs, WordPress versions, PHP details, active plugins, and user counts, sending them via POST requests to the malicious endpoint.

Upon receiving a response, the code would decode and write a backdoored file, like wp-includes/bookmark-canonical.php, to the server, masquerading as legitimate WordPress content management tools.

This file contained remote code execution capabilities through eval functions triggered by unauthenticated requests, allowing attackers to manipulate ...