The popular WordPress plugin gravitational forms have been compromised in a supply-chain attack, where the manual installers of the official website were infected with a back door.
Gravity form is a premium plugin for contact, payment and other online forms. Based on the vendor’s statistical data, the product is not placed on approximately one million websites, some belong to famous organizations such as AirbnB, NIKE, ESPN, Unicef, Google and Yale.
Remote code execution on server
WordPress Security firm Patchstack says it received a report today, which is about the suspected requests generated by plugins downloaded from the website gravitationally.
After checking the plugin, the patchstack confirmed that it received a malicious file downloaded from the seller’s website (Gravityforms/Common.php). The closure examination revealed that the file began a post request for a suspected domain on “gravityapi.org/sites”.
On further analysis, researchers found that the plugin collected a broad site metadata, including URL, administrator paths, themes, plugins and PHP/WordPress versions, and exfiltrate it to the attackers.
The server reaction includes the Base64-encoded PHP malware, which is saved as “WP-Includes/Bookmark-Canonical.Php”.
WordPress is meskcred by malware in the form of content management tools that enables remote code execution without the need to certify using ‘handle_posts (), “handle_media (),” handle_widgots () “.’
“All those tasks can be said by __construct -> Init_CONTENT_MANAGEMENT -> Handles_Rex -> Process_Rec there. Therefore, it can basically be triggered by an uncontrolled user,” Patchstack tells,
“From all tasks, it will make an eval call with the input supplied by the user, resulting in a distance code execution on the server,” the researchers said.
The developer, behind the gravitational forms, was conveyed to the rocketgenius, and a staff member told the patchstack that Malware only impressed the manual download and plugin musician installation.
Patchstack recommends that anyone who downloads the gravitational forms starting tomorrow restores the plugin by receiving a clean version. Admins should also scan their websites for any signal of infection.
According to the patchstack, the domains that facilitated this operation were registered on 8 July.
Hackers add admin accounts
Rocktgenius has published a post -mortem of the incident that confirmed that only gravitational form 2.9.11.1 and 2.9.12 were available for manual downloads between 10 July to 11 July.
If the admins installed a musician for version 2.9.11 on any of the two dates, they found an infected copy of the product.
“Gravity API service that handles the installation of ad -on -on -on -on -on -on -on -on -on -on -on -on -on -on -on -on -Aon, was never compromised. All the package updates managed through that service are unaffected” – Rocketgenius
Rocketgenius says that malicious code blocked updated efforts, contacted an external server to bring additional payload, and a administrator account added to the attacker gave full control of the website to the attacker.
The developer also provides ways for administrators Check for potential infection By following the specific link on their websites.
While cloud attacks can be more sophisticated, the attackers still succeed with surprisingly simple techniques.
Drawing by the detection of Vij in thousands of organizations, this report reveals the 8 major techniques used by Claude-Floid danger actors.
