Dormant Backdoor Discovered in Popular WordPress Redirect Plugin Affects 70,000 Sites
What Happened – The “Quick Page/Post Redirect” WordPress plugin, installed on over 70 k sites, contained a hidden self‑update mechanism that pointed to a malicious third‑party domain. Between 2020‑2021 the plugin silently fetched a tampered 5.2.3 build, inserting a passive backdoor that could execute arbitrary code for logged‑out visitors.
Why It Matters for TPRM –
- Third‑party plugins can become a covert attack surface, bypassing the primary vendor’s code‑review process.
- A dormant backdoor enables on‑demand code execution, exposing client data, SEO rankings, and brand reputation.
- Supply‑chain compromise may propagate to multiple downstream customers, inflating risk across the ecosystem.
Who Is Affected – Web‑hosting providers, digital agencies, e‑commerce operators, and any organization running WordPress sites that installed the plugin.
Recommended Actions –
- Inventory all WordPress installations and verify whether the Quick Page/Post Redirect plugin is present.
- Immediately uninstall the plugin or replace it with the clean 5.2.4 version once available.
- Review update mechanisms for all third‑party plugins; enforce strict source verification (e.g., hash checks).
- Conduct a post‑mortem scan for injected code or SEO‑spam artifacts on affected sites.
Technical Notes – The malicious self‑updater used a hidden URL (anadnet.com) to deliver arbitrary PHP payloads via a “the_content” hook, targeting logged‑out users to avoid detection. The backdoor is dormant now because the C2 domain no longer resolves, but the update check remains active. No CVE has been assigned yet. Source: BleepingComputer