A widely used WordPress plugin called Quick Page/Post Redirect, installed on more than 70,000 websites, was found to contain a hidden backdoor that could allow attackers to inject arbitrary code.
The issue dates back around five years, raising concerns about long-term exposure for affected sites.
The malware was discovered by Austin Ginder, founder of hosting provider Anchor, after security alerts were triggered across 12 websites under his management. His investigation revealed that the plugin, commonly used to manage URL redirects for posts and pages, had been silently compromised.
The plugin has since been temporarily removed from the WordPress.org directory while a review is underway. It is still unclear whether the backdoor was intentionally added by the original developer or introduced through a third-party compromise.
According to Ginder, versions 5.2.1 and 5.2.2 of the plugin, released between 2020 and 2021, included a hidden self-update feature that connected to an external domain, anadnet[.]com. This allowed remote code to be pushed to websites outside of WordPress.org’s official update system.
Although the malicious updater was removed in later releases, it had already been used in March 2021 to distribute a modified version 5.2.3 to affected sites. This altered version contained a passive backdoor that differed from the official release, even though it shared the same version number.
The backdoor was designed to stay hidden by activating only for logged-out visitors, making it difficult for site administrators to detect. It injected content via the ‘the_content’ hook and pulled data from the external server, likely for SEO spam campaigns.
Ginder explained that the system was effectively used for parasite SEO, leveraging the ranking power of thousands of compromised websites. However, the more serious concern is the update mechanism itself, which allowed remote execution of arbitrary code.
Even though the malicious server currently appears inactive, the update mechanism still exists on affected installations. The domain remains active, meaning it could potentially be reactivated in the future.
Users are advised to uninstall the plugin immediately and replace it with a clean version, specifically version 5.2.4, once it becomes available again on WordPress.org.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Ginder also called on the attacker to release a final update that forces all infected sites to upgrade to a safe version, effectively removing the backdoor. He warned that tens of thousands of websites are still running versions that attempt to check for updates from the suspicious external server.
