WordPress Plugin Hacked Since 2020 to Inject Malicious

A major supply chain attack has been identified within the Quick Page/Post Redirect Plugin, a popular WordPress plugin with over 70,000 active installations.

Security researcher Austin Ginder discovered a dormant backdoor introduced five years ago that silently injects arbitrary code into websites.

The malicious code bypassed official security checks by leveraging a custom remote update checker, effectively turning the plugin into a vehicle for parasite SEO and remote code execution.

Backdoored WordPress Plugin

The investigation began when routine security audits on a hosting fleet flagged anomalies in plugin version 5.2.3.

While the affected websites reported running version 5.2.3, the file hashes did not match those of the official release on the WordPress repository.

The tampered files contained an unauthorized function that reached out to a third-party server and injected returned content directly into website pages.

To evade detection, the injection was specifically hidden from logged-in administrators and only triggered for regular visitors and search engine crawlers.

The compromise was executed through a highly sophisticated, multi-stage process involving two distinct backdoors.

The active backdoor was a bundled copy of a plugin update checker library configured to poll a server controlled by the developer, rather than the official WordPress infrastructure.

This mechanism allowed the malicious actor to push unauthorized updates with full administrative privileges.

The passive backdoor was the injected payload itself, which quietly fetched and displayed hidden content from a remote command-and-control server.

Although the command-and-control server is currently offline and the backdoor is dormant, the update mechanism remains fully functional and could be reactivated at any time.

An Inside Supply Chain Attack

Extensive analysis of the plugin’s commit history revealed that the attack was orchestrated by the plugin’s original author, anadnet.

The developer intentionally committed the malicious self-updater to the official repository in late 2020, allowing it to propagate to thousands of websites.

Months later, the author distributed the tampered payload through their private server before quietly removing the custom updater from the official source code.

This deliberate maneuver erased obvious traces of the compromise from the official repository while leaving existing installations permanently tethered to the attacker’s infrastructure.

The WordPress plugin review team temporarily pulled the Quick Page/Post Redirect Plugin from the directory in April 2026 pending a full investigation.

Since attackers can spoof version numbers, traditional vulnerability scanners often fail to detect this type of supply chain compromise.

According to a report by Austin Ginder at Anchor, administrators should use the built-in WordPress command-line tool to verify plugin checksums against the official repository.

Any mismatch indicates a compromised file, and security experts recommend completely uninstalling the affected plugin in favor of actively maintained alternatives.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.