What happened

For a limited time and only via specific methods, two Gravity Forms core plugin packages offered for manual download were compromised by an external agent who made unauthorized code modifications.

These modifications were intended to be malicious and provide external agents access to infected websites. Please review the details below to determine if you were at risk, how to tell if you were infected, and what to do if you were. 

What packages were affected

Modified versions of Gravity Forms 2.9.11.1 and 2.9.12 were infected, but only a limited number of those packages were affected, and they were only available for a limited compromise window.

You may have a compromised version if you installed a Gravity Forms core package under the following conditions: 

• You manually downloaded 2.9.11.1 on July 9 or 10 via your Gravity Forms account downloads page.
• You manually downloaded 2.9.12 on July 10. 
• You ran a composer install and installed 2.9.11.1 on the dates above. 

Packages that were not affected

Only packages matching the conditions listed above were identified as affected.

If you updated to 2.9.12 using auto-update (based on an available update message in your WordPress dashboard), you have not been exposed. The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected. 

If you downloaded either of the above Gravity Forms versions on a different date, your plugin files would not be infected. All download packages now available via GravityForms.com have been scanned and confirmed as clean. 

Malware behaviors

If installed, the malicious code modifications will block attempts to update the package and attempt to reach an external server to download additional payload. If it succeeds in executing this payload, it will then attempt to add an administrative account. That opens a back door to a range of other possible malicious actions, such as expanding remote access, additional unauthorized arbitrary code injections, manipulation of existing admin accounts, and access to stored WordPress data.

Actions taken by us

We have scanned and confirmed that no other downloadable packages are affected. We have also made Gravity Forms version 2.9.13 available for download via your Gravity Forms account.

All keys and credentials for all the services we use to store downloadable packages have been updated to close the possibility of unauthorized access. All administrative accounts have been audited and have had their passwords cycled.

We are notifying the domain abuse and malicious host security teams of known hosts and communicating with CVE reporting organizations to help with the incident’s publication.

We have notified domain registrars and web hosts to take action against the IP address and the related domain URL that the malware utilized.

We continue to investigate and are working with customers who may be infected. 

How to identify an infected site

Security organizations and incident monitors have been analyzing this attack, and have confirmed our conclusion that this had a limited impact due to the conditions required to be affected. If you feel at risk because of having installed a package that meets the conditions above, the following checks will allow you to identify if your site was infected: 

The malware can be identified by popular security detection packages like Wordfence. If you (or your web host) do not have access to detection packages, then you can check possible infection by visiting each of the following three URLs:

{your_domain}/wp-content/plugins/gravityforms/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

{your_domain}/wp-content/plugins/gravityforms_2.9.11.1/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

{your_domain}/wp-content/plugins/gravityforms_2.9.12/notification.php?gf_api_token=Cx3VGSwAHkB9yzIL9Qi48IFHwKm4sQ6Te5odNtBYu6Asb9JX06KYAWmrfPtG1eP3&action=ping

(Note that these URLs need to be adjusted if you have customized your wp-content folder location)

You have installed an infected package if any one of the URLs above returns the following message:

Warning: Undefined array key “gf_api_action” in … {followed by a reference to your wp-content folder}

In this situation, you will need to take action.

Actions for an infected site

If you confirmed infection via the check actions above, you will need to secure your site. 

Recover your previous state

The most robust approach is to restore your WordPress website to its most recent backup before July 9th. This is the most complete approach to removing possible infection vectors and payloads that may have been injected anywhere in your website content or database. 

The following actions are recommended, but these may not constitute a complete cleaning, which can be gained by reverting to an uninfected backup as recommended above.

1. Deactivate and delete any Gravity Forms 2.9.11.1 or 2.9.12 plugin
   • Do not uninstall as that will delete settings and data. See the bottom of this communication for directions on how to remove the plugin without deleting your settings, entries, etc.
   • Download Gravity Forms 2.9.13 or higher from your Gravity Forms account portal
   • Reinstall the cleaned package.
2. Block access 
   • The URL gravityapi.org (not owned by Rocketgenius) and the IPs listed below were found within or related to the malicious package code. Although we have had detected external servers shut down and requested the domain be inactivated, you can block these URLs and IPs at your firewall or with any security services or plugins to stop an infected website from trying to ping that domain.
   • IP addresses 185.243.113.108, 185.193.89.19, 24.245.59.0, 194.87.63.219
3. Security audit
   • Other possible actions include: 
     1. Review all recently added users.
     2. Review all admin-level users and remove any unrecognized accounts. Check email addresses to ensure they belong to the original owner. Consider cycling administrative account passwords.  
     3. Check your installed plugins and installed packages for malicious files.
     4. If you have active logging, review your logs. 
4. More suggestions
   • Confirm that you have malware detection software active on your website or in use with your web host. Wordfence, Patchstack, and SolidWP are good examples.
   • If your logs suggest unauthorized access or a login from an unknown admin user was made, you should extend your audit to all parts of your website. 
   • Refer to this WordPress.org article for additional recommendations: https://wordpress.org/documentation/article/faq-my-site-was-hacked/

Our commitment

We sincerely apologize for this incident and any inconvenience it may cause. We are continuing to analyze this incident and working with malware security organisations to implement additional security protocols and prevent such an incident in the future. 

If you have any questions or need assistance with these steps, please contact our team at [email protected] or via our normal customer support forms here (https://www.gravityforms.com/open-support-ticket/)

Appendix: How to deactivate and delete the Gravity Forms plugin without deleting data.

The steps below will only remove the plugin files so that you can replace them with the newer version. This does NOT touch your data.

⚠️Do NOT use the Uninstall buttons at Forms → Settings → Uninstall as this will remove your data.

1. Select Plugins → Deactivate option for any Gravity Forms core plugins listed. 
2. Once deactivated, you can select the Plugins → Delete option.
3. Answer Yes when prompted to delete. This step deletes the plugins folder and files.
4. Repeat these steps if you see a second Gravity Forms installation.
5. Select the option to Add New plugin.
6. Select Upload.
7. Get the downloaded validated zip of Gravity Forms 2.9.13 available from your Gravity Forms account downloads page.
8. Browse to the location where you saved the newly downloaded zip file and select it.
9. Click Install Now. You should see the message “Plugin installed successfully.” This step recreates the plugin’s folder and files.
10. Click Activate Plugin.