Attention WordPress Users! One of the leading form plugins, GravityForms, has fallen victim to a significant hacking incident. Cybercriminals infiltrated the plugin’s official download source, compromising version 2.9.12 with malicious code.
On July 11, 2025, security experts at Patchstack uncovered this alarming breach after noticing suspicious traffic directed towards a questionable domain: gravityapi.org. This domain was registered just days before the attack, indicating meticulous planning by the hackers.
The injected malware allowed the attackers comprehensive control over affected websites, enabling them to execute Remote Code Execution, create fraudulent admin accounts, upload malicious files, read and delete user data, and maintain persistent access even after detection.
Two crucial functions within the plugin—update_entry_detail() and list_sections()—were exploited to facilitate this attack.
The update_entry_detail() function captured sensitive site information such as the WordPress version, active plugins, and server details, relaying this data to the attackers. Meanwhile, list_sections() served as a backdoor requiring a secret token for access; once activated, it enabled the hackers to execute custom PHP code, create admin accounts, upload files, and silently maintain access.
In response to this crisis, the plugin’s developers at RocketGenius acted swiftly. They released a secure update (version 2.9.13) and removed the compromised version from their servers. Additionally, the malicious domain gravityapi.org was promptly taken down by Namecheap to mitigate further risks.
If you are currently using GravityForms, it is crucial to update to version 2.9.13 or higher immediately. We also recommend scanning your website for any suspicious PHP files or unauthorized admin accounts to safeguard your site.
