CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious self-update mechanism in Quick Page/Post Redirect plugin exposed dormant backdoor in WordPress environments

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A dormant backdoor mechanism was discovered in the Quick Page/Post Redirect WordPress plugin, installed on over 70,000 websites. The backdoor, introduced via compromised plugin versions (5.2.1 and 5.2.2) released between 2020 and 2021, included a hidden self-update system that fetched arbitrary code from a third-party domain (anadnet[.]com). This allowed silent code injection into sites, primarily for SEO spam targeting logged-out users. The backdoor activation mechanism remains dormant on impacted sites due to the command-and-control domain's current lack of resolution, but the self-update capability could enable further exploitation. WordPress.org has temporarily removed the plugin pending review, and users are advised to uninstall the plugin and replace it with a clean version once available.

Timeline

  1. 30.04.2026 01:13 1 articles · 1h ago

    Dormant backdoor in Quick Page/Post Redirect plugin revealed via malicious self-update mechanism

    Analysis confirmed that compromised versions 5.2.1 and 5.2.2 of the Quick Page/Post Redirect WordPress plugin contained a hidden self-update system that fetched updates from anadnet[.]com. This allowed silent delivery of a tampered version 5.2.3 in March 2021, containing a passive backdoor triggered only for logged-out users to inject SEO spam. The malicious self-updater was removed from subsequent versions in February 2021 before review, but the backdoor mechanism remains dormant on impacted sites due to the unresolvable command-and-control domain. The plugin has been temporarily removed from WordPress.org pending review, and users are advised to uninstall it and replace it with a clean version (5.2.4) when available.

    Show sources
    Open in new tab

Information Snippets

  • The Quick Page/Post Redirect plugin (versions 5.2.1 and 5.2.2) introduced a hidden self-update mechanism that fetched updates from an external domain (anadnet[.]com) outside WordPress.org's control.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources

  • The malicious self-updater was removed from subsequent plugin versions in February 2021 before code reviewers could analyze it.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources

  • In March 2021, sites running versions 5.2.1 and 5.2.2 silently received a tampered version 5.2.3 from the external server, containing a passive backdoor that triggered only for logged-out users.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources

  • The backdoor payload was designed to fetch data from 'anadnet' servers, primarily for SEO spam operations, and had a different hash than the official WordPress.org version of plugin 5.2.3.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources

  • The self-update mechanism enabling arbitrary code execution remains present on impacted sites but is currently dormant due to the unresolvable 'anadnet' subdomain.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources

  • WordPress.org has temporarily pulled the Quick Page/Post Redirect plugin from its directory pending a review.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources

  • The plugin is installed on over 70,000 WordPress sites, with an active update check still pointing to the 'anadnet' server.

    First reported: 30.04.2026 01:13
    1 source, 1 article
    Show sources