WordPress Gravity Forms Vulnerability – _input_1_

This post is definitely late, about 6 months late to be exact but after helping countless new clients resolve hacked & compromised sites over the past 6 months in regards to this issue & not seeing much documentation on the internet in reference to this vulnerability, it seemed necessary to make a quick post.  First, let me say this:

If you are not running the latest version of Gravity Forms, UPGRADE NOW!

This is not necessary for everybody, the issue was actually resolved in version 1.8.20 but it’s always good to keep your plugins updated :).

Anyway, this vulnerability we’re discussing exposes the Gravity Forms file upload script making it possible to inject PHP files into your WordPress install.  The overall issue can be read in more detail on Sucuri’s blog if you’re interested in the specifics but in this post we’re going to discuss how to fix it.

The first step is to obviously upgrade Gravity Forms, no matter what you do, if you do not fix the root of the issue, it’s going to come back.

Second, it’s time to start cleaning up the install.  Begin by downloading a fresh copy of WordPress from the repository and overwriting all files excluding your wp-content directory.

Next, it’s time to re-install ALL of your plugins. Yeah, this kind of vulnerability tends to spread quickly and inject malicious code all over. The easiest thing to do rather than sifting through all the files is to do a fresh upload of all plugins on the WordPress install.

Now that you’ve got the plugins taken care of, it’s time for your theme. First, I would recommend deleting all theme folders that you are not currently using, it provides less places for malicious content to hide out. Second, you should go through your theme files taking a look in the various PHP files for malicious code or files that should not be there. It is extremely important that you find every file, failing to do so will cause the malicious scripts to be re-injected and you’ll need to complete this process again. Take your time and get it right the first time, you’ll thank yourself later.

Once you made it through your themes and plugins, the last step is your uploads folder.  Cycle through the different folders and ensure there are no executable PHP files within your uploads folder.  If so, quickly remove these.

Finally, it’s time to reset all your WordPress passwords, reset your database user password, and finally check for any cron jobs that should not be in place. We experienced one instance where we had removed all the content, but a file was being auto-regenerated once per day due to a cron job.

Assuming you located and removed all the malicious code within the theme files, you should be good to go at this point. Keep your fingers crossed and keep a close eye on your site.

Overall, I personally expect more out of Gravity Forms.  This is a very bad vulnerability that should never have made it into a live release, not for a paid plugin.  Just another reason why you should ALWAYS keep your WordPress site up to date & never completely trust external plugins (even the popular ones).

Need assistance completing the above steps?  Checkout our sister company WP Cover.  Complete WordPress maintenance, security, backups and more starting at $79/month.