Gravity Forms Bug Left 46,000+ Sites Exposed. Was Yours One of Them?

Recently, a critical security flaw in Gravity Forms put over 46,000 websites at risk of a full site breach. This vulnerability allowed any attacker to upload malicious files and seize control of a site without needing a password.

But for MalCare customers, their sites were never at risk.

Our firewall was already blocking this exact attack method long before the threat was publicly disclosed on November 17, 2025. This proactive defense means your site was secure then, and it remains secure today.

What’s the real threat

Most website owners believe a security threat begins the day it’s announced. This is a dangerous misconception. The truth is, by the time you hear about a vulnerability, it has likely been a part of the plugin’s code, and on your site, for a very long time.

To find out just how long this hidden risk period lasts, our security team conducted an in-depth analysis of thousands of WordPress plugins. 

And the results were concerning…

We found that a vulnerability sits in the code for an average of 14 months before it is ever found and reported by security researchers.

🤯 Think about it. Every undiscovered flaw in your plugins is a race. Security researchers are looking for it. So are hackers. Who do you think finds it first?

That silent window of vulnerability is a hacker’s prime opportunity. During these months, your site is defenseless against attacks that have no name, patch, or warning. An update-only security strategy simply fails, leaving you completely exposed when the risk is highest.

What you must do right now

Before you do anything else, you need to confirm that your site hasn’t already been compromised.

• If the scan confirms your site is secure, you have nothing to worry about.

• If the scan finds an infection, MalCare’s one-click removal feature handles the entire cleanup for you.

How MalCare keeps your site safe

Blocking an attack before it’s publicly known requires a fundamentally different security approach. This is where our firewall, Atomic Security, comes into play.

It acts as a universal checkpoint for every file upload to your site. While most plugins are secure, some have a dangerous procedural gap: saving a file to your server before validating its safety. 

Atomic Security inspects the upload request the moment it arrives, stopping suspicious files at the door and ensuring they never land on your server in the first place.

A closer look at the Gravity Forms vulnerability 

This attack is the perfect illustration of why a proactive defense succeeds where reactive methods fail. The vulnerability was a critical Unauthenticated Arbitrary File Upload (Severity: 8.1 – High), which allowed remote code execution without any credentials.

In simple terms, this means that any user of Gravity Forms, from a logged-in customer to a random anonymous visitor, could potentially exploit it. This dramatically widened the attack surface of any vulnerable website.

How the flaw worked

The problem was a procedural security gap. Gravity Forms had an incomplete blocklist, missing the dangerous .phar file extension. The deeper issue was that the plugin saved files to a temporary location before completing its flawed security check, creating a critical window of opportunity.

How an attacker could exploit it

An attacker can submit a malicious .phar file through any form with a file upload field. Because of the procedural flaw, the plugin saves this dangerous file to the server before realizing it should have been blocked. 

This allows the attacker to access the file’s URL and execute their code, giving them the power to deface the site, steal data, or install a permanent backdoor.

Conclusion

The reality is that hackers operate in the long, silent gap between a flaw’s creation and its discovery. A security strategy that only reacts to public announcements is a strategy that has already accepted defeat.

Your defense must be active in that gap, identifying and blocking malicious behavior, not just known threats. This is the principle MalCare is built on, providing the constant, proactive security that the modern web demands.