A major supply chain attack has been discovered in the Quick Page/Post Redirect Plugin, a widely used WordPress plugin with more than 70,000 active installations. The issue has raised serious concerns about plugin security and trust in the WordPress ecosystem.
Security researcher Austin Ginder uncovered a hidden backdoor that had been sitting inside the plugin for nearly five years. This backdoor was designed to quietly inject malicious code into websites without being noticed.
The problem came to light during routine security checks. Some websites reported running version 5.2.3 of the plugin, but their file signatures did not match the official version available on the WordPress repository. This mismatch raised red flags and led to a deeper investigation.
Researchers found that the plugin had been tampered with. It included a hidden function that connected to a third-party server and injected content directly into website pages. This content was not visible to site administrators. Instead, it only appeared to regular visitors and search engine crawlers. This made it useful for parasite SEO campaigns and harder to detect.
The attack used a multi-stage approach with two separate backdoors. The first one was an active backdoor. It used a custom plugin update checker that connected to a server controlled by the attacker instead of the official WordPress update system. This allowed the attacker to push malicious updates with full control.
The second was a passive backdoor. It fetched hidden content from a remote command-and-control server and displayed it on affected websites. Even though this server is currently offline, the update mechanism is still active and could be used again.
Further investigation revealed that this was not an external hack. The attack appears to be an inside job. The plugin’s original developer, known as anadnet, reportedly added the malicious update system to the official repository in late 2020. This allowed the compromised code to spread to thousands of websites.
Later, the developer removed the updater from the official codebase. However, by that time, many installations were already connected to the attacker’s private server. This step helped hide the attack while keeping affected sites under control.
In response, the WordPress plugin review team removed the plugin from the directory in April 2026. The investigation is still ongoing.
As someone working closely in security research, I can see how supply chain attacks are evolving. This type of attack is hard to detect. Attackers can fake version numbers, which makes standard vulnerability scanners less effective. So, administrators are advised to manually verify plugin files using WordPress command-line tools. If there is any mismatch, the plugin should be removed immediately.
Website owners should not rely only on automated tools. It is important to verify plugin checksums regularly, monitor unusual outbound requests, and avoid installing unnecessary plugins. Even plugins from trusted sources should be reviewed carefully.
