WordPress redirect plugin on 70K sites carried dormant backdoor since 2021

Quick Page/Post Redirect, a WordPress utility plugin with over 70,000 installs, has been hiding a backdoor planted five years ago. Researcher Austin Ginder traced it after a security alert fired on a dozen infected sites in his hosting fleet. Versions 5.2.1 and 5.2.2 shipped a hidden self-updater pointing at anadnet[.]com, which in March 2021 silently pushed a tampered 5.2.3 build with a different hash than the WordPress.org release. The malicious updater was quietly stripped from later versions before reviewers caught it.

The implanted backdoor only activates for logged-out visitors, hooking into the_content filter to pull payloads from the attacker domain — a cloaked parasite-SEO scheme that effectively rented Google rankings across 70,000 sites to whoever ran the C2. More dangerously, the self-update path enables arbitrary code execution on demand and remains wired into installs today. It’s dormant only because the C2 subdomain no longer resolves, though the parent domain is still live.

WordPress.org has pulled the plugin pending review. Whether the original author planted the implant or was compromised remains unclear. Operators are advised to uninstall and wait for a clean 5.2.4 build, since affected sites can be reactivated the moment the attacker repoints DNS.