- The RocketGenus website served a malicious variant of the WordPress Forms supplement from Gravity for two days
- The variant has collected extensive and authorized information for RCE
- Malware only affected manual downloads and composer installations
Gravity Forms, a popular WordPress supplement with at least one million users, has been the victim of a supply chain attack in which threat actors tried to deploy malware to its users and resume their websites.
Patchstack safety researchers have discovered that someone has managed to infiltrate the Gravity Forms website and compromise the accommodated plug-in installation file.
On July 10 and 11, users could download Gravity Forms versions 2.9.11.1 and 2.9.12, which came with malicious files that collected metadata from the extensive site and malicious software that allowed distant code execution attacks (RCE).
Risky manual downloads
Malware has also blocked any attempt to update the additional module, contacted an external server to deploy additional useful charges and created an administration account which granted complete control of attackers on the compromise website.
Gravity Forms is a WordPress Premium plugin allowing users to create different forms using a drag-drop interface. It fits into a wide range of third -party services, which makes it popular for contact forms, surveys, payment forms, etc.
After being informed of the attack, RocketGenius, the company that develops gravity forms, studied more and determined that malicious software only affected manual downloads and installations of plugin composers.
“The API Gravity service which manages licenses, automatic updates and the installation of additional modules initiated from the plugin of Gravity forms have never been compromised. All updates of the package managed via this service are not affected,” said Rocketgenus.
Therefore, all users who downloaded gravity are formed directly from the RocketGenus website on July 10 or 11, should delete the plug-in and reinstall it with a clean version. In addition, administrators should analyze their websites for any sign of compromise.
The first clean version of the additional module is 2.9.13, which is now available for download.
Via Bleeping Compompute
