- The RocketGenius website served a malicious variant of the Gravity Forms WordPress add-on for a few hours
- The variant harvested extensive information and allowed for RCE
- The malware affected only manual downloads and composer installations
Gravity Forms, a popular WordPress add-on with at least a million users, was victim of a supply chain attack in which threat actors tried to deploy malware to its users and take over their websites.
Security researchers from PatchStack discovered someone managed to infiltrate Gravity Forms’ website, and compromise the plug-in installation file hosted there.
However, there are discrepancies in the timeline, and for how long the malware was being served.
According to Patchstack, on July 10 and 11, users could download Gravity Forms versions 2.9.11.1 and 2.9.12, which came with malicious files that collected extensive site metadata, and malware that allowed for remote code execution (RCE) attacks.
Carl Hancock, Gravity’s CEO and co-founder, told TechRadar Pro in a written statement that this was not true, and that the compromised .ZIP file was available only for a few hours.
“Patchstack’s timeline isn’t correct. The issue was sporadic beginning just before 8pm (EST or UTC-05:00) on the evening of July 9th and mitigated the morning of July 10th. There was then roughly a 1 hour window on the evening of July 10th where the attacker used a backup method they had in place to sloppily replace the download link on the downloads page once again. Our web host was then able to assist us in shutting the door for good on the method they were using to do this,” he said.
So, the July 10-11 timeframe is not correct – it was primarily overnight on July 9, with an additional one-hour window later on the 10th.
Risky manual downloads
The malware blocked any attempts to update the add-on, contacted an external server to deploy additional payloads, and created an admin account that granted attackers full control over the compromised website.
Gravity Forms is a premium WordPress plugin enabling users to build different forms using a drag-and-drop interface. It integrates with a wide range of third-party services, making it popular for contact forms, surveys, payment forms, and more.
RocketGenius, the company that develops Gravity Forms, determined that the malware affected only manual downloads and composer installations of the plugin.
“The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected,” RocketGenius explained.
The issue was confined to the gravityforms.com marketing and customer account site, Hancock further explained. This entity is not managed by the same web hosting company as Gravity’s licensing/automatic update/plugin installer/plugin repository API server that the plugin itself interacts with.
“The impact and exposure was minimal and we know the customers that were at risk of exposure and we’ve reached out to them on multiple occasions. Both during and after, as well as a follow up since then.”
The first clean version of the add-on is 2.9.13, which is now available for download.
Via BleepingComputer
Edit, July 16 – Added further clarification and a statement from Carl Hancock, Gravity Forms Co-Founder and CEO.
