The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites. The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert. Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs. WordPress.org has temporarily pulled the plugin from the directory pending a review. It is unclear if the author of the plugin introduced the backdoor or they were compromised by a third party. Ginder explains that official plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, included a hidden self-update mechanism pointing to a third-party domain, anadnet[.]com, which allowed pushing arbitrary code outside WordPress.org’s control. In February 2021, the malicious self-updater was removed from subsequent versions of the plugin on WordPress.org, before code reviewers had a chance to scrutinize it. In March 2021, according to Ginder, sites running Quick Page/Post Redirect 5.2.1 and 5.2.2 silently received a tampered 5.2.3 build from that external server, which introduced a passive backdoor. However, the build from the 'w.anadnet[.]com' server with the extra backdoor code had a different hash than the same version of the plugin sourced from WordPress.org.