Popular WordPress Redirect Plugin Hid Dormant Backdoor for Years

The Quick Page/Post Redirect plugin has long been a go‑to utility for WordPress administrators needing simple URL redirects. Its widespread adoption—over 70,000 active installations—made the recent discovery of a concealed backdoor especially alarming. Security researcher Austin Ginder identified the threat after a cluster of his hosted sites triggered alerts, revealing that versions 5.2.1 and 5.2.2 contained a covert self‑updater pointing to an external server (anadnet.com). This mechanism bypassed WordPress.org’s review process, allowing attackers to push malicious code directly to vulnerable sites.

Technical analysis shows the backdoor was engineered to stay silent for logged‑in administrators while serving SEO‑spam payloads to anonymous visitors. By hooking into the `the_content` filter, the code fetched and injected spammy links, effectively renting the compromised sites’ Google rankings to the attacker. Although the malicious domain no longer resolves, the update check remains active, leaving a dormant but exploitable vector on any site that has not upgraded to a clean build. This underscores a broader vulnerability: plugins that rely on external update URLs can become covert channels for code injection, evading traditional repository safeguards.

In response, WordPress.org has temporarily removed the plugin from its directory and is preparing a sanitized 5.2.4 release. Administrators should immediately uninstall the compromised version and reinstall the forthcoming clean build once available. The episode serves as a cautionary tale for the WordPress ecosystem, emphasizing the need for rigorous code review, strict control over third‑party update sources, and continuous monitoring of plugin health. Site owners are urged to audit all installed plugins, enforce automatic updates from trusted repositories, and consider security‑focused hosting solutions to mitigate similar threats in the future.