The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, contained a dormant backdoor for years that could inject arbitrary code into affected sites, according to a technical analysis by Anchor.
KEY FACTS
- Plugin Quick Page/Post Redirect is a redirect utility for WordPress posts, pages and custom URLs.
- Finding versions 5.2.1 and 5.2.2 included a hidden self-update mechanism pointing to anadnet.com.
- Impact sites running those versions later received a tampered 5.2.3 build with a passive backdoor.
- Status WordPress.org has temporarily removed the plugin pending review.
The report says the malicious updater was removed from later versions on WordPress.org in February 2021 before code reviewers examined it. In March 2021, sites using versions 5.2.1 and 5.2.2 silently received a modified build from an external server, which added the backdoor.
The extra code was present in a build from w.anadnet.com but not in the WordPress.org version of the same release, according to the report. The backdoor activates only for logged-out visitors, which helps hide activity from site administrators, and it is tied to the_content while fetching data from the same server.
The real risk comes from the update mechanism itself, which can enable arbitrary code execution on demand. It is still present on sites using the plugin, but dormant because the external command-and-control subdomain does not resolve, although the domain remains active.
Users are advised to uninstall the plugin and replace it with a clean copy of version 5.2.4 from WordPress.org when it is available again. The researcher also said the plugin still has 70,000 installs with an update check pointing to the anadnet server.
WHY IT MATTERS
The case shows how a trusted plugin can be used to push code outside the normal review process and stay hidden for years. Sites that still depend on the plugin may remain exposed until they remove it or receive a clean update path.