Malware found in official gravityforms plugin indicating supply chain breach

I really appreciate that this supply breach was discovered by a diligent system operator (tracking a slow HTTP request).

Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.

The official Gravity Forms post [0] indicates you were only compromised if you installed Gravity Forms via direct website download or Composer install.

From what I can see, Composer install methods use the same Gravity Forms API to fetch the install package as the auto-update feature within the plugin. Their WP-CLI plugin uses the same mechanism too.

It will be interesting to see if the Gravity Forms developers engage a third party security firm to investigate this incident. So far they have not mentioned it.

[0] https://www.gravityforms.com/blog/security-incident-notice/

> We also received a confirmation from one of the staff of RocketGenius that the malware only affects manual downloads and composer installation of the plugin.

Phew.

Using a nonce before checking the form would have prevented much of the problems described. Or stated differently, it would suddenly require lots of manual labour.

Nice work to identify this malware and take action against it spreading. The article does have one small error though that made me do a double-take.

The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.

Am I alone in thinking it's kind of nuts that there's a $259 extension for Web Forms in the first place. Is this WordPress being horribly broken, the WordPress ecosystem being a playground for grifters, naive non-technical WordPress users or all three?

What does this impact? 90% of sites on the internet? Just a couple of low-traffic sites?

Popped by AB of Ac1dB1tch3z

Should say what plugin it is.

How is this even possible? Is the most likely explanation that a bad actor within GravityForms snuck something in?

I didn’t see anything in the article but I may have missed it.