:

WORDPRESS PLUGIN HARBORED SECRET BACKDOOR FOR 5 YEARS

INDUSTRY DESK2 MIN READ
THU, APR 30, 2026

■ AI-SUMMARIZED FROM 1 SOURCE ▸ TIMELINE

The Quick Page/Post Redirect plugin, installed on over 70,000 WordPress sites, contained a hidden backdoor that remained dormant for five years. The vulnerability allows attackers to inject arbitrary code directly into affected websites.

Security researchers discovered the backdoor in the Quick Page/Post Redirect plugin, a widely-used tool for managing URL redirects on WordPress sites. The malicious code was inserted approximately five years ago and went undetected until recently. The backdoor's functionality enables unauthorized code injection, potentially giving attackers full control over compromised websites. This could lead to data theft, malware distribution, site defacement, or other malicious activities. With over 70,000 active installations, the plugin's widespread adoption amplified the potential impact of the vulnerability. The dormant nature of the backdoor—remaining inactive until triggered—likely contributed to its extended undetection. Plugin developers have released security patches addressing the vulnerability. WordPress site administrators using the Quick Page/Post Redirect plugin should update immediately to the patched version. This incident underscores ongoing security risks within the WordPress plugin ecosystem. While the open-source WordPress platform and its plugins enable flexibility and extensibility, they also present attack surfaces when security is overlooked. Third-party plugins vary widely in security practices and maintenance quality. Administrators are advised to: - Update the Quick Page/Post Redirect plugin to the latest version - Conduct security audits on affected sites - Review access logs for suspicious activity - Consider limiting plugin installations to essential, actively-maintained tools - Enable regular WordPress security monitoring The discovery highlights the importance of regular security reviews for popular plugins and the need for developers to maintain scrutiny over code changes and contributions.

■ SOURCES

Bleeping Computer

■ SUMMARY WRITTEN BY AI FROM THE LINKS ABOVE

■ MORE FROM THE SECURITY DESK

U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.

4H AGOIndustry Desk

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.

4H AGOSecurity Desk

Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.

7H AGOAI Desk

A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.

9H AGOIndustry Desk

■ SUBSCRIBE TO THE DAILY BRIEF

ONE EMAIL, 5 STORIES, 06:00 UTC. UNSUBSCRIBE ANYTIME.