Comment by giingyui - Hacker Neue

Should say what plugin it is.

It's in the title? It's the official GravityForms plugin, supposedly version 2.9.13 fixes the issue, but the changelog [0] doesn't even mention the breach.

[0] https://docs.gravityforms.com/gravityforms-change-log/

giingyui OP 1 day ago

The way it’s worded in the article it sounds like there are multiple plugins available in that domain.

> one of the plugins that they are trying to download from the official gravityforms.com domain

It’s common for certain plugins to have… plugins of their own. For example if you have a form created with gravityforms and you want to connect it to a CRM or something, there is a screen inside the plugin settings to install it. Which is why I asked. (I don’t know if that’s the case with gravityforms.)

redrove 1 day ago

Honestly it still required a web search on my part to figure out it’s a WordPress plugin. That should be in the title.

autoexec 1 day ago

Any time I read the words vulnerable and plugin I just assume WordPress is involved somehow. I'm convinced that the internet would be instantly more secure if the entire platform died off.

ChrisMarshallNY 1 day ago

It would.

It also would be a lot less useful. A lot of content is published through WordPress.

I suspect an effective approach would be encouraging ways to make WP more secure, or publish a secure platform that can easily be transitioned from WP.

d0mine 1 day ago

Wordpress dominates internet outside megacorps. There are a lot of security issues but there is a lot of utility too.

swang 1 day ago

you're not suppose to editorialize or change the title per HN rules.

rectang 1 day ago

There's a blog post about the incident:

https://www.gravityforms.com/blog/security-incident-notice/

This item has no comments currently.