The developer of Gravity Forms for the WordPress content management system (CMS) has issued an alert about a malware compromise affecting two core plugin packages, which can provide external access to infected websites.
In the security incident notice, Gravity Forms, which is developed by United States based RocketGenius, said the malware will block attempts to update the compromised package.
It will also try to reach an external server to download an external payload, which if executed, will then attempt to add an administrative account to a victim's system.
"That opens a backdoor to a range of possible malicious actions, such as expanding remote access, additional unauthorised arbitrary code injections, manipulation fo existing admin accounts, and access to stored WordPress data," Gravity Forms wrote.
The malicious code contained a reference to a uniform resource locator link, gravityapi.org, which is not connected to RocketGenius/Gravity Forms.
Although the domain name registration for gravityapi.org is mostly redacted, the attacker had used contact details for a location in Iceland's capital Reykjavik.
Users can detect if their sites are infected by visiting each of the below three links:
{your_domain}/wp-content/plugins/gravityforms/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
{your_domain}/wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
{your_domain}/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping
Users are advised to take action to secure their sitees if any one of the above links returns:
Warning: Undefined array key “gf_api_action” in … {followed by a reference to your wp-content folder}
Gravity Forms recommends that users restore their WordPress websites to its most recent backup before July 9 US time, as the most robust apprach.
Gravity Forms has found infected versions of its 2.9.11.1 and 2.9.12 packages, but added only a limited number of them were affected, between July 9 and 10 US time.
Furthermore, the packages had to be manually downloaded via users' Gravity Forms account page.
The company did not say how many packages have been compromised but said it has scanned and confirmed that no other downloadable ones are affected.
Keys and credentials for all services used to store downloadable packages have been updated by Gravity Forms to close off unauthorised access to them.
Gravity Forms is a paid-for plugin for WordPress, which as the name implies is a form builder for data capture.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
