Yesterday two of my client’s websites were hacked due to an outdated GravityForms plug-in.
The business model of the developer of the (highly recommended) plug-in is to sell licenses that get you updates for 1 year. After the license expires, the plug-in continues to work – you just get no future updates without renewal of the license. In this case, we missed an important security fix for an exploit (Gravity Forms Arbitrary File Upload Hack 2015) that makes it possible to upload php files to the uploads directory of WordPress.
Luckily we caught the malicious script in flagranti and no harm was done. Lesson learned. But as “over one million WordPress sites are already using the Gravity Forms plug-in”, such a script attack must been quite successful.