Quick Page/Post Redirect, installed on more than 70,000 WordPress sites, contained a backdoor added five years ago that allowed arbitrary code to be injected via a hidden self-update mechanism. The compromised updater pointed to an external domain (anadnet[.]com), pushed a tampered 5.2.3 build that added a passive SEO backdoor for logged-out users, and WordPress.org has temporarily pulled the plugin pending review. #QuickPagePostRedirect #anadnet
Keypoints
- A backdoor was introduced to the Quick Page/Post Redirect plugin and affected over 70,000 installs.
- Versions 5.2.1 and 5.2.2 included a hidden self-update mechanism pointing to anadnet[.]com that could push arbitrary code.
- A tampered 5.2.3 build from the external server had a different hash than the WordPress.org copy and added a passive backdoor.
- The backdoor triggers only for logged-out users via the_content and was likely used for cloaked SEO spam, while the update mechanism allows remote code execution.
- Users should uninstall the plugin and replace it with a clean 5.2.4 from WordPress.org when available, and the researcher urges the attacker to publish a static update manifest to force remediation.