Security researcher Austin Ginder discovered the issue after a routine fleet audit flagged Quick Page/Post Redirect Plugin version 5.2.3 across twelve managed sites.
A file hash check using md5sum the produced hash value that matched none of the official releases published on WordPress.org’s SVN repository.
The first was a passive content injection mechanism, an extra function hooked into the_content with priority -1 , silently fetched content from w.anadnet.com/bro/3/ and prepended it to every page view.
The hook was gated on !is_user_logged_in(), making the injection completely invisible to any administrator reviewing the site. Logged-out visitors, including Googlebot, saw injected backlinks.
This parasite SEO technique allowed attackers to hijack search engine rankings without triggering any visible alerts.
The second was a far more dangerous active backdoor, the tampered plugin shipped with a full copy of the Plugin Update Checker library (Puc_v4p10) and registered anadnet.com/updates/ as its own update source.
On every scheduled WordPress cron run, affected sites polled anadnet.com for a new plugin version. Whatever the server returned, WordPress installed with full plugin-author permissions, remote code push disguised as a routine update.
WordPress.org’s public SVN log revealed the full history. On October 28, 2020, commit r2408245 added the self-updater to trunk, and tags 5.2.1 and 5.2.2 were cut on top of it.
On February 14, 2021, commit r2474557 quietly removed the updater folder from trunk, but the backchannel remained live on every existing install.
In March 2021, the tampered 5.2.3 build went live on the anadnet update server, and all seeded sites pulled it within a week.
The command-and-control server eventually went offline, leaving the backdoor dormant. However, the malicious code remained permanently embedded on infected servers, waiting for the attacker to reactivate the domain at any time.
The Internet Archive captured a single snapshot of the anadnet.com/updates/ JSON endpoint on May 28, 2022, confirming version 5.2.3 last updated 2021-03-10 matching the file modification timestamps on all twelve sites exactly.
Ginder stated that all eighteen environments in under thirty seconds using a single CaptainCore API call to force-install version 5.2.4 via WP-CLI.
This command pulls SHA-256 hashes directly from WordPress.org and flags any file that does not match the expected code 1 on failure, making it fully scriptable across a fleet.
On April 14, 2026, the WordPress.org plugin review team temporarily closed the plugin pending review. The plugin had no advisories from Patchstack or WPScan addressing this specific backdoor.
Administrators are advised to immediately uninstall the plugin and replace it with Redirection by John Godley or Safe Redirect Manager for sites still running versions 5.2.1 or 5.2.2.
The incident underscores a broader supply chain risk: version numbers reported by package managers do not prove file integrity.
When a plugin registers its own remote update source, the official repository is no longer the source of truth for what runs on disk.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Backdoored WordPress Plugin Uses Remote Update for Code Delivery appeared first on Cyber Security News.
Here's a rare chance to pick up a massive, current generation OLED TV at a…
Consolidate your car's emergency kit with this automotive 4-in-1 swiss army knife. For a limited…
A maximum-severity remote code execution (RCE) vulnerability in Google Gemini CLI has been disclosed by…
If you're looking for a premium VR headset for your PlayStation or PC, there's a…
Assassin's Creed Black Flag Resynced developers have confirmed a raft of returning features for Ubisoft's…
Qilin ransomware is one of the most active and damaging threats in the cyber landscape…
This website uses cookies.