GoKawiilThe Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites.
The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert.
Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs.
WordPress.org has temporarily pulled the plugin from the directory pending a review. It is unclear if the author of the plugin introduced the backdoor or they were compromised by a third party.
Ginder explains that official plugin versions 5.2.1 and 5.2.2, released between 2020 and 2021, included a hidden self-update mechanism pointing to a third-party domain, anadnet[.]com, which allowed pushing arbitrary code outside WordPress.org’s control.
In February 2021, the malicious self-updater was removed from subsequent versions of the plugin on WordPress.org, before code reviewers had a chance to scrutinize it.
In March 2021, according to Ginder, sites running Quick Page/Post Redirect 5.2.1 and 5.2.2 silently received a tampered 5.2.3 build from that external server, which introduced a passive backdoor.
However, the build from the 'w.anadnet[.]com' server with the extra backdoor code had a different hash than the same version of the plugin sourced from WordPress.org.
The passive backdoor triggers only for logged-out users to hide its activity from admins. It is hooked into ‘the_content’ and fetches data from the 'anadnet' server, likely used for SEO spam operations.
"The actual mechanism was cloaked parasite SEO. The plugin was renting Google ranking on seventy thousand websites back to whoever was operating that backchannel in 2021,” explained Ginder.
... continue reading