Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/CyberSecurity News/Critical WordPress Plugin Bug Lets Attackers Inject Malicious Code
CyberSecurity News

Critical WordPress Plugin Bug Lets Attackers Inject Malicious Code

Key Takeaways A critical supply chain vulnerability was discovered in the popular WordPress Quick Page/Post Redirect Plugin, affecting over 70,000 active installations. The plugin’s original...

David kimber
David kimber
April 30, 2026 3 Min Read
60 0

Key Takeaways

  • A critical supply chain vulnerability was discovered in the popular WordPress Quick Page/Post Redirect Plugin, affecting over 70,000 active installations.
  • The plugin’s original author intentionally introduced a backdoor five years ago, enabling silent injection of arbitrary malicious code.
  • This sophisticated attack leveraged a custom update mechanism to bypass security checks, facilitating parasite SEO and remote code execution.
  • While the command-and-control server is currently offline, the update mechanism remains active, posing a persistent threat.
  • Users are urged to verify plugin checksums and uninstall the compromised plugin, replacing it with secure alternatives.

Sophisticated Backdoor Uncovered in Popular WordPress Plugin

A significant supply chain vulnerability has been identified within the Quick Page/Post Redirect Plugin, a widely used WordPress extension boasting more than 70,000 active installations. Security researcher Austin Ginder unearthed a dormant backdoor, surreptitiously introduced half a decade ago, designed to inject arbitrary malicious code into websites without detection.

Table Of Content

  • Key Takeaways
  • Sophisticated Backdoor Uncovered in Popular WordPress Plugin
  • Deep Dive: The Backdoored WordPress Plugin
  • An Inside Job: Supply Chain Attack Orchestrated by Author
  • What You Should Do

This malicious functionality circumvented standard security protocols by utilizing a custom remote update checker, effectively transforming the plugin into a vector for illicit SEO manipulation and potential remote code execution.

Deep Dive: The Backdoored WordPress Plugin

The investigation into this compromise began following routine security audits on a hosting infrastructure, which flagged unusual behavior in plugin version 5.2.3. Despite websites reporting this version number, their file hashes did not align with those of the official release hosted on the WordPress repository. It was discovered that the tampered files contained an unauthorized function configured to communicate with a third-party server, subsequently injecting content directly into website pages.

To maintain stealth, the injected code was specifically hidden from logged-in administrators, activating only for regular site visitors and search engine crawlers. The compromise involved a highly intricate, multi-stage process incorporating two distinct backdoors.

The active component of the backdoor was a bundled version of a plugin update checker library. This library was configured to poll a server under the developer’s control, rather than the legitimate WordPress update infrastructure. This setup granted the malicious actor the ability to push unauthorized updates with full administrative privileges. The passive element was the injected payload itself, which covertly fetched and displayed hidden content from a remote command-and-control server. Although this command-and-control server is currently inactive, rendering the backdoor dormant, the update mechanism remains fully operational and could be re-activated at any moment.

An Inside Job: Supply Chain Attack Orchestrated by Author

Extensive analysis of the plugin’s commit history revealed that the attack was orchestrated by the plugin’s original author, identified as anadnet. The developer intentionally committed the malicious self-updater to the official repository in late 2020, facilitating its propagation to thousands of websites. Months later, the author distributed the tampered payload via their private server before discreetly removing the custom updater from the official source code. This calculated move erased obvious traces of the compromise from the official repository, yet left existing installations permanently linked to the attacker’s infrastructure.

In April 2026, the WordPress plugin review team temporarily removed the Quick Page/Post Redirect Plugin from its directory, pending a thorough investigation. Traditional vulnerability scanners often fail to detect this type of supply chain compromise due to attackers’ ability to spoof version numbers.

According to a report by Austin Ginder at Anchor, administrators should utilize the built-in WordPress command-line tool to verify plugin checksums against the official repository. Any discrepancy indicates a compromised file. Security experts strongly advise completely uninstalling any affected plugin and migrating to actively maintained, secure alternatives.

What You Should Do

  • Verify Plugin Checksums: Use the WordPress command-line interface (WP-CLI) to check the integrity of your installed plugins against the official WordPress repository. Mismatched checksums indicate potential compromise.
  • Uninstall Immediately: If the Quick Page/Post Redirect Plugin is installed on your WordPress site, uninstall it completely. Deactivating it is insufficient, as the malicious update mechanism could still be active.
  • Choose Alternatives: Replace the compromised plugin with actively maintained and reputable redirect plugins from trusted sources.
  • Review Logs: Conduct a thorough review of your website and server logs for any suspicious activity or unauthorized file modifications.
  • Update Regularly: Ensure all other plugins, themes, and your WordPress core are kept up-to-date to mitigate other known vulnerabilities.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

OpenAI unveils 5-point plan to fortify AI cybersecurity defenses

Next Post

Jenkins Patches High-Severity Plugin Flaws, Including Path Traversal

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us