Backdoor Discovered in Popular WordPress Plugin
The Quick Page/Post Redirect plugin, prevalent on over 70,000 WordPress websites, has been found to harbor a backdoor that has existed for five years, permitting the insertion of arbitrary code on users’ sites.
This troubling discovery was made by Austin Ginder, the founder of Anchor, a WordPress hosting provider, who noticed the malware after twelve infected sites triggered a security alert within his network.
The Quick Page/Post Redirect plugin, which has been available on WordPress.org for several years, serves as a simple utility for facilitating redirects in posts, pages, and custom URLs.
In response to the situation, WordPress.org has temporarily removed the plugin from its directory while a thorough review is conducted. The origins of the backdoor remain ambiguous, with questions surrounding whether the author introduced it or if third-party interference occurred.
According to Ginder, official versions of the plugin, specifically 5.2.1 and 5.2.2, released between 2020 and 2021, contained a concealed self-update mechanism that redirected to a third-party domain, anadnet[.]com, thereby facilitating the injection of arbitrary code beyond WordPress.org’s regulatory purview.
In February 2021, this malicious self-updater was eliminated from future iterations of the plugin, prior to undergoing any scrutiny from code reviewers.
By March 2021, as noted by Ginder, installations of Quick Page/Post Redirect versions 5.2.1 and 5.2.2 silently received an altered 5.2.3 build from that external server, which introduced a passive backdoor.
The build sourced from the ‘w.anadnet[.]com’ server, harboring the illicit backdoor code, possessed a different hash compared to the corresponding version available on WordPress.org.
This passive backdoor activates solely for logged-out users, thereby cloaking its activities from administrators. It is integrated with ‘the_content’ and retrieves data from the ‘anadnet’ server, presumably for the purpose of SEO spam operations.
“The actual mechanism was cloaked parasite SEO. The plugin was monetizing Google ranking on seventy thousand websites for whoever was operating that backchannel in 2021,” Ginder elaborated.
Nonetheless, the principal risk for affected websites emanates from the update mechanism itself, which enabled arbitrary code execution at will.
This mechanism remains dormant on sites utilizing the plugin, as the malicious external command-and-control subdomain does not currently resolve, though the domain remains active.
For users affected by this issue, the recommended course of action is to uninstall the plugin and replace it with a clean copy of version 5.2.4, sourced from WordPress.org once it becomes available.
Ginder conveyed a message to the individuals behind the backdoor, urging them to take responsible action by publishing a static update manifest, compelling all affected installations to automatically upgrade to the clean version from WordPress.org, effectively eradicating the backdoor from previously compromised sites.
The researcher cautions that the Quick Page/Post Redirect plugin continues to have 70,000 installations with an update check redirecting to the ‘anadnet’ server.
Source link: Bleepingcomputer.com.
