CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

Hackers Inject Malware Into Gravity Forms WordPress Plugin

Two Gravity Forms WordPress plugin versions available on the official download page were injected with malware in a supply chain attack. The post Hackers Inject Malware Into Gravity Forms WordPress Plugin appeared first on SecurityWeek.

WordPress vulnerability exploited

Two trojanized versions of the Gravity Forms WordPress plugin were distributed through the official download page following a supply chain attack.

Gravity Forms is an easy-to-use WordPress forms builder that has over 1 million active installations. It offers a visual form editor, supports transaction management and workflow automation, and provides support for a broad range of form customizations.

The malicious activity related to Gravity Forms was flagged on July 11, after Patchstack received a report that the plugin made an HTTP request to a suspicious domain that was created on July 8.

The plugin was caught sending WordPress installation information in the request, and containing malicious functions that could be called by unauthenticated users to execute arbitrary code remotely on the server.

On the same day, Gravity Forms’ developer RocketGenius confirmed that malicious iterations of the plugin were listed on the official download page.

“For a limited time and only via specific methods, two Gravity Forms core plugin packages offered for manual download were compromised by an external agent who made unauthorized code modifications,” the developer said.

According to RocketGenius, only Gravity Forms versions 2.9.11.1 and 2.9.12 available through the download page on July 9 and July 10 were infected, albeit users who ran a composer install and installed 2.9.11.1 during the timeframe also executed the malicious iteration.

The packages fetched via the auto-update mechanism were not malicious, nor was the Gravity API service that handles automatic updates, licensing, and installations compromised, the developer notes.

The malicious code in the compromised plugin versions, RocketGenius says, was designed to create an administrative account to the WordPress website, creating a backdoor and allowing attackers to access the site installation remotely, execute code, manipulate accounts, and steal data.

Version 2.9.13 of the plugin was released on July 11 to remove the malicious code and users are urged to update as soon as possible, especially if they manually downloaded a backdoored iteration on July 9 or July 10.

“All keys and credentials for all the services we use to store downloadable packages have been updated to close the possibility of unauthorized access. All administrative accounts have been audited and have had their passwords cycled,” RocketGenius notes.

Related: Forminator WordPress Plugin Vulnerability Exposes 400,000 Websites to Takeover

Related: Vulnerability in OttoKit WordPress Plugin Exploited in the Wild

Related: Threat Actors Deploy WordPress Malware in ‘mu-plugins’ Directory

Related: Critical Plugin Flaw Exposed 4 Million WordPress Websites to Takeover

Latest News

CYBERNEWSMEDIAPublisher