More than 70,000 WordPress sites still run a redirect utility that carried a hidden backdoor added five years ago, and that mechanism can — in theory — inject arbitrary code on demand, a researcher found.
Discovery by Anchor founder Austin Ginder
Austin Ginder, founder of WordPress hosting provider Anchor, uncovered the issue after 12 infected sites on his fleet triggered a security alert. Ginder traced the infections to the Quick Page/Post Redirect plugin, a basic utility available on WordPress.org for several years that administrators use to create redirects in posts, pages, and custom URLs.
Ginder reported that official plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, contained a hidden self-update mechanism pointing to a third-party domain, anadnet[.]com. That mechanism allowed code to be pushed to installs outside WordPress.org’s update controls, and later activity he observed suggested the plugin had been used for SEO spam operations.
The malicious update mechanism and the anadnet[.]com backchannel
According to Ginder, the malicious self-updater was removed from subsequent versions on WordPress.org in February 2021 — before code reviewers had a chance to scrutinize it. Despite that removal, in March 2021 sites still running Quick Page/Post Redirect 5.2.1 and 5.2.2 silently received a tampered 5.2.3 build from an external server, 'w.anadnet[.]com'.
Ginder notes the tampered build hosted on the anadnet server had a different hash than the same-named 5.2.3 package sourced from WordPress.org, indicating that the externally delivered copy contained extra code. It remains unclear whether the plugin author introduced the backdoor or if the author’s account or distribution was compromised by a third party. WordPress.org has temporarily pulled the plugin from its directory pending review.
The passive backdoor: cloaked parasite SEO and logged-out targeting
Ginder describes the visible payload as “cloaked parasite SEO.” The passive backdoor was hooked into 'the_content' and fetched data from the anadnet server; it triggered only for logged-out users, a behavior designed to hide activity from site administrators. The fetch-and-insert pattern Ginder observed fits SEO spam operations, with the plugin seemingly “renting Google ranking on seventy thousand websites back to whoever was operating that backchannel in 2021,” he explained.
While that passive mechanism delivered spam-oriented content, Ginder warns the larger hazard is the self-update capability itself: it permitted arbitrary code execution on demand. That means an attacker able to push content via the backchannel could run any code on compromised sites, not just SEO inserts.
Scope, current status, and recommended remediation
The Quick Page/Post Redirect plugin has been installed on more than 70,000 WordPress sites, and Ginder warns that those installs still have an update check pointing to the anadnet server. The dangerous update mechanism remains present on installs that received the tampered builds, but it is currently dormant because the malicious external command-and-control subdomain does not resolve. The domain itself is active, however.
Ginder’s recommended remediation is straightforward: uninstall the plugin and replace it with a clean copy of version 5.2.4 sourced from WordPress.org when it becomes available again. He also urged whoever operates the backdoor to publish a static update manifest that would force affected installs to automatically upgrade to the clean WordPress.org version, effectively removing the backdoor from previously compromised sites.
What site owners, WordPress.org, and hosting providers should do
- Site owners: Remove Quick Page/Post Redirect if installed, and plan to replace it with a clean 5.2.4 from WordPress.org once the directory listing is restored. Treat any unexpected content served to logged-out visitors as a sign of compromise.
- WordPress.org maintainers: Continue the temporary removal and review to determine whether the plugin author or a third party introduced the hidden self-updater and tampered build; consider coordinating any forced-update manifest that would safely remediate affected installs.
- Hosting providers: Scan managed fleets for installs of Quick Page/Post Redirect that still point update checks to anadnet[.]com, and prioritize hosts showing the tampered 5.2.3 hash for cleanup and replacement.
The case exposes a simple yet powerful risk vector: a plugin’s self-update path can be turned from convenience into a remote code-execution mechanism years after initial installation. Ginder’s call for a static update manifest would remove the backdoor at scale; until WordPress.org and site operators act, tens of thousands of sites remain exposed to an updater that was already used to deliver covert SEO content and that — by design — can accept arbitrary code.
