- The RocketGenius site served a malicious variant of gravity forms the WordPress gain for two days
- The variant harvested extensive information and enabled RCE
- Malware affected only manual downloads and composer installations
Gravity Forms, a popular WordPress addition with at least one million users, fell victim to a supply chain attack in which threat actors tried to implement malware to their users and take over their websites.
Patchstack security researchers discovered that someone managed to infiltrate Gravity Forms’ website and compromise the plug-in installation file that is there.
On July 10 and July 11, users were able to download Gravity Forms versions 2.9.11.1 and 2.9.12, which followed with malicious files that collected extensive site metadata, and malware that enabled Refice Code (RCE) -attack.
Risker manual downloads
Malware also blocked all attempts to update the addition, contacted an external server to implement additional payload and created an Admin account that gave attackers full control over the compromised site.
Gravity Forms is a Premium WordPress plugin that allows users to build different forms using a drag-and-slip interface. It is integrated with a wide range of third -party services, making it popular for contact forms, studies, payment forms and more.
After being notified of the attack, Rocketgenius, the company that develops gravity forms, further examined, further and determined that malware only affected manual downloads and composer installations of plugin.
“The Gravity API service, which handles a license, automatic updates and installation of additions initiated within gravity, the plugin never was compromised. All the packages’ updates managed through this service are not affected,” Rocketgenius explained.
Therefore, all users who downloaded Gravity Forms must be directly from Rocketgenius’ website on July 10 or 11, delete plug-in and reinstall it with a clean version. In addition, administrators should analyze their sites for any signs of compromise.
The first clean version of the addition is 2.9.13, which can now be downloaded.
Via Bleeping computer
