240/69 Friday, May 1, 2026
Security researchers from Anchor Hosting have revealed that the Quick Page/Post Redirect WordPress plugin—used for creating redirects and installed on over 70,000 websites—has contained a hidden backdoor since 2020. The issue was identified after abnormal activity alerts were detected across 12 managed websites. Investigation found that versions 5.2.1 and 5.2.2 included a stealthy self-update mechanism that connected to an external domain (anadnet[.]com), allowing unauthorized code to be delivered to affected sites outside the control of WordPress.org.
In March 2021, websites running versions 5.2.1 and 5.2.2 received a malicious update labeled version 5.2.3 from the external server. This version contained additional backdoor code and had a different hash from the legitimate 5.2.3 release distributed via WordPress.org. The backdoor was designed to activate only for non-logged-in users, helping it evade detection by site administrators. It hooked into the the_content function to fetch data from the anadnet server and inject it into website content. Researchers believe it may have been used for cloaked parasite SEO campaigns, inserting hidden content and links to exploit search engine rankings of compromised websites.
WordPress.org has temporarily removed the plugin from its repository pending further review. However, the primary risk remains due to the external update mechanism still present on affected installations. Although the external command-and-control subdomain is currently inactive, leaving the backdoor dormant, affected users are strongly advised to uninstall the plugin immediately. They should switch to version 5.2.4 once it becomes available again on WordPress.org, and conduct a thorough review of their websites to identify any unauthorized files or injected code.