Popular WordPress redirect plugin hid dormant backdoor for years
by Bill Toulas · BleepingComputerThe Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites.
The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert.
Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs.
WordPress.org has temporarily pulled the plugin from the directory pending a review. It is unclear if the author of the plugin introduced the backdoor or they were compromised by a third party.
Ginder explains that official plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, included a hidden self-update mechanism pointing to a third-party domain, anadnet[.]com, which allowed pushing arbitrary code outside WordPress.org’s control.
In February 2021, the malicious self-updater was removed from subsequent versions of the plugin on WordPress.org, before code reviewers had a chance to scrutinize it.
In March 2021, according to Ginder, sites running Quick Page/Post Redirect 5.2.1 and 5.2.2 silently received a tampered 5.2.3 build from that external server, which introduced a passive backdoor.
However, the build from the 'w.anadnet[.]com' server with the extra backdoor code had a different hash than the same version of the plugin sourced from WordPress.org.
The passive backdoor triggers only for logged-out users to hide its activity from admins. It is hooked into ‘the_content’ and fetches data from the 'anadnet' server, likely used for SEO spam operations.
"The actual mechanism was cloaked parasite SEO. The plugin was renting Google ranking on seventy thousand websites back to whoever was operating that backchannel in 2021,” explained Ginder.
The real danger for impacted websites, though, comes from the updating mechanism itself, which enabled arbitrary code execution on demand. That mechanism is still present on sites using the plugin, but dormant because the malicious external command-and-control subdomain does not resolve. The domain is active, though.
The solution for impacted users is to uninstall the plugin and replace it with a clean copy of version 5.2.4 sourced from WordPress.org when it becomes available again.
Ginder included a message for whoever is behind the backdoor, urging them to do the right thing now and publish a static update manifest that forces all affected installs to automatically upgrade to the clean WordPress.org version, effectively removing the backdoor from previously compromised sites.
The researcher warns that Quick Page/Post Redirect still has 70,000 installs with an update check pointing to the 'anadnet' server.
99% of What Mythos Found Is Still Unpatched.
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop.