Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
EDIT: That's the number of sites which could have been affected. Fortunately only a small number of sites actually got the compromised package because it didn't enter the main automatic distribution chain.
seemingly small amount of sites that manually downloaded that version from the site as opposed to 'most' that get premium(paid) update files through their API gateway (that I think calls file from AWS).
> The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected.
"The infection does not seem to be widespread, which could mean that the backdoored plugin was only available for a very short period of time and only delivered to a small number of users."
rectang|7 months ago
Gravity Forms is a very popular premium WordPress plugin.
I maintain a handful of WordPress sites (wouldn't have been my choice of platform but whatever) and the design and functionality of Gravity Forms is better than most (aside from it being CPU-hungry). It doesn't generally give me trouble and as a developer I've been happy with how Rocket Genius have interacted with me when I've filed trouble tickets.
A pretty substantial number of small and mid-tier orgs have Gravity Forms installed. I don't know the numbers — the wordpress.org popularity stats mainly reflect installation of free plugins not premium — but there should be a lot of sites handling a lot of traffic.
EDIT: That's the number of sites which could have been affected. Fortunately only a small number of sites actually got the compromised package because it didn't enter the main automatic distribution chain.
dotancohen|7 months ago
chuckreynolds|7 months ago
> The Gravity API service that handles licensing, automatic updates, and the installation of add-ons initiated from within the Gravity Forms plugin was never compromised. All package updates managed through that service are unaffected.
Dazzler5648|7 months ago