One of the most popular WordPress form plugins, GravityForms, has been hacked. Attackers managed to slip in malicious code through the plugin’s official download source. It affects version 2.9.12 of the plugin.
Security researchers at Patchstack discovered the issue on July 11, 2025, after spotting unusual traffic going to a shady domain — gravityapi.org. This domain was registered just a few days before the attack. This makes it clear that hackers planned everything well in advance.
The malware was embedded into the plugin and gave attackers full control over the infected websites. It allowed Remote Code Execution, Creation of fake admin accounts, Uploading of malicious files, Reading and deleting user data, and Persistent access, even after detection.
The hackers used two key functions in the plugin to carry out the attack: update_entry_detail() and list_sections().
The first function collects site info like the WordPress version, active plugins, and server details, and sent it to the attacker’s domain. The second function acts as a backdoor requiring a secret token to access. Once triggered, it gave attackers the ability to run custom PHP code, create admin accounts, Upload files, and maintain access quietly.
The plugin’s developer, RocketGenius, acted fast. They released a clean update (version 2.9.13) and removed the infected version from their servers. The malicious domain gravityapi.org was also taken down by Namecheap to prevent further damage.
If you are using GravityForms, update immediately to version 2.9.13 or higher. You should also scan your website for any strange PHP files or unauthorized admin accounts.
