Arbitrary code pushed by long concealed backdoor in widely used WordPress redirect add-on

Popular WordPress plugin Quick Page/Post Redirect, which allows the creation of redirects in posts, pages, and custom URLs, was injected with a stealthy backdoor half a decade ago that enabled arbitrary code injection into websites, BleepingComputer reports.

Hidden within Quick Page/Post Redirect versions 5.2.1 and 5.2.2 released from 2020 to 2021 was a self-update mechanism linked to anadnet[.]com that pushed arbitrary code, according to Anchor founder Austin Ginder, who discovered the malware across a dozen WordPress sites. While the illicit self-updater was removed in February 2021, all sites using the compromised plugin versions were updated with a tampered 5.2.3 build that injected a passive backdoor. Only logged-out users are impacted by the backdoor, which retrieves data from the "anadnet" server for potential SEO spam activity.

"The actual mechanism was cloaked parasite SEO. The plugin was renting Google ranking on seventy thousand websites back to whoever was operating that backchannel in 2021," said Ginder. Whether the plugin was compromised by its developer or subjected to a third-party breach remains uncertain but the backdoor's developer was urged to release a static update manifest that would force upgrades to a clean version of the add-on.