Introduction
In July 2025, Gravity Forms — one of the most widely used WordPress form plugins — confirmed a supply-chain incident. Malicious code was briefly introduced into downloadable versions of the plugin.
If your site runs Gravity Forms, this news matters. Even if you didn’t directly install the affected versions, it’s important to check your site, update, and audit. Here’s what happened, what the risks were, and how to respond.
What Happened?
According to the official Gravity Forms security notice, attackers briefly managed to inject malicious code into downloadable plugin packages.
- Affected versions:
- 2.9.11.1
- 2.9.12
- Distribution channels:
- Manual downloads from the Gravity Forms site
- Composer-based installs pulling from the official distribution
The versions available via the standard WordPress auto-updater (dashboard → Plugins → Update) were not affected.
Gravity Forms quickly replaced the compromised files and released clean versions.
Who Was at Risk?
The risk depended on how you updated or installed the plugin:
- Low risk: If you updated Gravity Forms directly from the WordPress admin dashboard (auto-updates or normal plugin updates), you were not affected.
- High risk: If you downloaded the plugin manually between the affected dates or used Composer installs, you may have installed a compromised version.
What Should You Do?
Step 1: Update Immediately
- Ensure you are running the latest clean version (currently 2.9.13+).
- Use the WordPress dashboard auto-updater or download fresh copies directly from Gravity Forms after July 25, 2025.
Step 2: Check File Integrity
- Compare your Gravity Forms plugin files against the clean source.
- Use a plugin like Wordfence or iThemes Security to scan for suspicious files.
Step 3: Audit Logs and Users
- Check server logs for unexpected activity after the plugin update.
- Look for new user accounts with administrator privileges you don’t recognise.
Step 4: Reset Credentials (if affected)
If you believe you installed a compromised version:
- Rotate WordPress admin passwords.
- Reset hosting control panel and database credentials.
- Invalidate API keys used with Gravity Forms integrations.
Step 5: Monitor for Further Updates
Gravity Forms has committed to transparency and will update their blog if further findings emerge. Subscribe to their security mailing list or RSS feed.
Lessons from the Incident
Supply-chain attacks are one of the biggest risks in 2025 because they exploit the trust we place in software updates. Even well-respected plugins like Gravity Forms can be targeted.
Key takeaways for WordPress site owners:
- Always apply updates via the WordPress dashboard auto-updater when possible.
- Verify plugin integrity after manual downloads.
- Maintain backups so you can quickly roll back in case of compromised updates.
- Consider a managed WordPress care plan where updates are monitored and tested.
Staying Secure After the Gravity Forms Incident
This supply-chain compromise was contained quickly, but it’s a reminder that no plugin is immune to attack. For Gravity Forms users, the steps are simple: update now, audit, and tighten your security practices.
At ThriveWP, we help businesses keep their WordPress sites safe through proactive monitoring, regular plugin audits, and rapid response to incidents like this one. If you’re unsure whether your site was affected — or want a professional audit for peace of mind — we can take care of it for you.
