I really appreciate that this supply breach was discovered by a diligent system operator (tracking a slow HTTP request).
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
doodlebugging · 15m ago
Nice work to identify this malware and take action against it spreading. The article does have one small error though that made me do a double-take.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
mpol · 5h ago
Using a nonce before checking the form would have prevented much of the problems described. Or stated differently, it would suddenly require lots of manual labour.
jimjambw · 3h ago
I’m from a technical background and so I understand this but being a Brit sentences like this are always funny to me
theglenn88_ · 2h ago
Not On Normal Courtyard Exercise
stuartjohnson12 · 55m ago
Basically A Creative Kind of Reverse Origin Naming You Make
astura · 1h ago
For those who didn't understand this comment (like me)
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
MarkusQ · 1m ago
That's why you should call them pervs (per-instance values).
4ndrewl · 1h ago
Makes some discussions with non-technical stakeholders interesting.
iambateman · 25m ago
How is this even possible? Is the most likely explanation that a bad actor within GravityForms snuck something in?
I didn’t see anything in the article but I may have missed it.
Y-bar · 14m ago
Could have been a compromised CI pipeline like Jenkins or a developer machine with a malware infection.
giingyui · 4h ago
Should say what plugin it is.
Etheryte · 4h ago
It's in the title? It's the official GravityForms plugin, supposedly version 2.9.13 fixes the issue, but the changelog [0] doesn't even mention the breach.
The way it’s worded in the article it sounds like there are multiple plugins available in that domain.
> one of the plugins that they are trying to download from the official gravityforms.com domain
It’s common for certain plugins to have… plugins of their own. For example if you have a form created with gravityforms and you want to connect it to a CRM or something, there is a screen inside the plugin settings to install it. Which is why I asked. (I don’t know if that’s the case with gravityforms.)
redrove · 3h ago
Honestly it still required a web search on my part to figure out it’s a WordPress plugin. That should be in the title.
autoexec · 3h ago
Any time I read the words vulnerable and plugin I just assume WordPress is involved somehow. I'm convinced that the internet would be instantly more secure if the entire platform died off.
ChrisMarshallNY · 2h ago
It would.
It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.
Similarly, the xz breach was uncovered by a diligent developer looking at quirky SSH login performance regressions.
The most recent update at the top of the page should probably be "Update 7-12-2025 06:00 UTC" instead of the current future date of 08-11-2025. I think the author incremented the wrong digit.
Nonce is also British slang for alleged or convicted sex offenders, especially ones involving children.
I didn’t see anything in the article but I may have missed it.
[0] https://docs.gravityforms.com/gravityforms-change-log/
> one of the plugins that they are trying to download from the official gravityforms.com domain
It’s common for certain plugins to have… plugins of their own. For example if you have a form created with gravityforms and you want to connect it to a CRM or something, there is a screen inside the plugin settings to install it. Which is why I asked. (I don’t know if that’s the case with gravityforms.)
It also would be a lot less useful. A lot of content is published through WordPress.
I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.