Picture this: you wake up one morning to discover that a tool you rely on to run your website has been weaponized against you. That\u2019s the reality thousands of website owners faced with Gravity Forms, a wildly popular WordPress plugin powering over a million sites with everything from contact forms to payment systems. In July 2025, a sneaky supply chain attack slipped malicious code into certain versions of Gravity Forms, putting countless websites at risk. This wasn\u2019t a minor hiccup – it was a loud wake-up call for anyone managing a WordPress site. In this blog, we\u2019ll unpack what happened, why it\u2019s a big deal, and how you can protect your site from similar threats. We\u2019ll also dive into how safe WordPress really is and look at past breaches to put things in perspective. Our goal? To equip you with the know-how to keep your WordPress site secure and your data safe.<\/p>\n\n\n\n
What\u2019s a supply chain attack, you ask? Imagine a thief slipping poison into the coffee beans at your favorite caf\u00e9\u2019s supplier before they even hit the shop. In cybersecurity, it\u2019s when attackers target the software supply chain – think developers, vendors, or distribution channels – to sneak malicious code into trusted software. Rather than hacking one website at a time, they hit a single point, like a plugin\u2019s official download page, to compromise thousands or even millions of sites in one go. It\u2019s clever, efficient, and downright terrifying.<\/p>\n\n\n\n
The Gravity Forms incident is a perfect example. Attackers didn\u2019t bother breaking into individual websites; they tampered with the plugin\u2019s files on the official Gravity Forms website, so anyone downloading those files got a nasty surprise. This isn\u2019t a new trick – think of the 2020 SolarWinds attack, where hackers hid malware in software updates to spy on companies and governments, or the 2021 Codecov breach, which exposed sensitive data across organizations. These attacks exploit the trust we place in software we assume is safe, and in the open-source world of WordPress, where plugins are often downloaded without a second glance, that trust is a goldmine for bad actors.<\/p>\n\n\n\n
Gravity Forms is a premium WordPress plugin that simplifies creating forms for collecting data, processing payments, or running surveys. It\u2019s a favorite for businesses, bloggers, and big names like Nike and Airbnb, boasting over a million active installations. But on July 9 and 10, 2025, versions 2.9.11.1 and 2.9.12, available for manual download from gravityforms.com, were laced with malware. The attackers injected a backdoor into files like gravityforms\/common.php<\/em> and includes\/settings\/class-settings.php<\/em><\/mark>. This wasn\u2019t a random act of vandalism – it was a calculated strike.<\/p>\n\n\n\n The backdoor sent sensitive site details – like URLs, plugin lists, and user counts – to a shady domain, gravityapi.org (unrelated to Gravity Forms, despite the sneaky name). From there, attackers could remotely execute code, create rogue admin accounts, or upload files to your server. It\u2019s like someone sneaking into your site\u2019s control room, flipping switches, and stealing data without you noticing. The potential fallout? Stolen customer info, defaced websites, or even complete site takeovers. Luckily, the attack only affected manual downloads and composer installations, not automatic updates, and the window was brief – less than 48 hours. Still, for those who downloaded the compromised versions, it was a nightmare.<\/p>\n\n\n\n WordPress powers nearly half the web, making it a juicy target for hackers. Its open-source nature is a double-edged sword: it\u2019s flexible and community-driven, but that openness invites risks. Plugins and themes, often built by small teams or solo developers, are frequent weak points. A single poorly coded plugin can open the door to attacks like cross-site scripting (XSS), SQL injection, or, as seen with Gravity Forms, remote code execution. In 2023, Patchstack reported 5,948 new vulnerabilities in the WordPress ecosystem, with 96% tied to plugins and 4% to themes, showing just how vulnerable these components can be.<\/p>\n\n\n\n This isn\u2019t Gravity Forms\u2019 first brush with trouble. In 2023, it had a PHP object injection flaw (CVE-2023-28782) that could have been catastrophic if chained with other vulnerabilities. Just a month before the Gravity Forms breach, in June 2025, the Groundhogg plugin suffered a similar supply chain attack, with malware slipped into its official downloads. Other plugins, like Social Warfare and Contact Form 7 Multi-Step Addon, were hit in June 2024, with hackers injecting code to create unauthorized admin accounts. These incidents reveal a pattern: attackers target plugins because they\u2019re widely used and often trusted without question. With over 60,000 plugins in the WordPress repository, not all get rigorous security checks, making the ecosystem a bit like a digital Wild West.<\/p>\n\n\n\n You might be wondering: if plugins like Gravity Forms can be compromised, just how safe is WordPress? The answer is nuanced. WordPress core is remarkably secure – only 0.2% of vulnerabilities in 2024 were tied to the core software, and those were low-severity issues. The real risks come from third-party plugins, themes, and user behavior, like failing to update software or using weak passwords. In 2023, Sucuri reported that 39.1% of hacked CMS sites (including WordPress) were running outdated software, a preventable issue that auto-updates have helped reduce. WordPress\u2019s core team has made strides, like introducing one-click updates in 2008 (version 2.7) and automatic updates later, which slashed core-related hacks from 61% in 2016 to nearly zero today.<\/p>\n\n\n\n Still, the ecosystem\u2019s openness means vulnerabilities persist. In 2024, Patchstack recorded 7,966 new vulnerabilities, with 47.7% being XSS issues, 14.19% broken access control, and 11.35% cross-site request forgery (CSRF). Plugins like TimThumb, Revslider, and even Gravity Forms have historically been prime targets due to their popularity. The table below summarizes key WordPress security breaches to give you a sense of the ecosystem\u2019s history and ongoing challenges.<\/p>\n\n\n\nWordPress Ecosystem Vulnerabilities<\/h2>\n\n\n\n
How Safe Is WordPress?<\/h2>\n\n\n\n
Notable WordPress Security Breaches (2007\u20132025)<\/h2>\n\n\n\n