Quick Page/Post Redirect Removed for Review
A widely adopted WordPress redirect plugin has been temporarily withdrawn from WordPress.org following the discovery of a concealed backdoor linked to its older versions.
The Quick Page/Post Redirect plugin, utilized to facilitate the management of page, post, and custom URL redirects, boasts an active user base exceeding 70,000 installations.
This alarming issue came to light through the diligence of Austin Ginder, the founder of Anchor, a WordPress hosting service.
Security warnings emerged from a dozen customer sites, raising questions about the integrity of the plugin.
The origins of the dormant code—whether it was intentionally embedded by the original developer or if the project itself had been compromised—remain ambiguous.
External Update Channel Elevated the Risk
Upon investigation, Ginder discovered that official releases 5.2.1 and 5.2.2, issued between 2020 and 2021, contained a covert self-update feature that connected to an external domain, anandnet[.]com.
This mechanism permitted the transmission of code that circumvented the usual scrutiny of the WordPress.org review process.
In March 2021, websites utilizing these versions purportedly received a modified 5.2.3 build from this external source.
This tampered package possessed a different hash than its WordPress.org counterpart and introduced a discreet backdoor designed to evade detection.
Backdoor Appears Linked to SEO Spam
The malicious code seems to have been activated exclusively for logged-out visitors, thus eluding the vigilance of administrators.
This backdoor integrated itself into WordPress content rendering, retrieving instructions from the external Anandnet infrastructure—behavior consistent with cloaked parasitic or SEO spam-injection operations.
The overarching concern lies within the update mechanism itself. Even if the command-and-control (C2) subdomain is currently dormant, the affected installations may still be harboring code capable of accepting arbitrary updates if the infrastructure were to become accessible once more.
What Site Owners Should Know
Administrators currently utilizing Quick Page/Post Redirect are advised to conduct a thorough audit of installed versions, particularly focusing on 5.2.1, 5.2.2, and the externally delivered 5.2.3 builds.
Security personnel should compare plugin hashes, monitor outbound requests, and scrutinize indexed pages for any signs of injected spam.
The prudent approach is to completely remove the plugin and await the release of a verified, clean WordPress.org version 5.2.4 for reinstallation.
In the interim, affected websites should treat this plugin as a supply-chain risk to their operational security.
Source link: Bitdefender.com.
