HackWatch
! High riskMW Malware

Backdoor in Popular WordPress Redirect Plugin Allowed Five Years of Arbitrary Code Injection

Malware coverage focused on infection paths, containment steps and indicators defenders should watch.

Malware activity flagged. Isolate affected systems, preserve logs and block persistence or command-and-control channels before recovery.
Backdoor in Popular WordPress Redirect Plugin Allowed Five Years of Arbitrary Code Injection - HackWatch malware alert image
HackWatch malware alert image for: Backdoor in Popular WordPress Redirect Plugin Allowed Five Years of Arbitrary Code Injection
Marcin Pocztowski

Infrastructure Security Editor

Marcin Pocztowski

Infrastructure and Vulnerability Response

By: Marcin Pocztowski

Published: May 01, 2026

Incident status: Active threat

Corroborating sources: 1

Technical review credentials: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Trust note:This alert is maintained under HackWatch's editorial policy, with visible source records, a named responsible editor and a correction channel for disputed facts.

The published article is checked against public sources before publication, and material corrections are reflected in the article update date.

Technical reviewer note: Marcin Pocztowski reviewed this alert on May 01, 2026 for infrastructure impact, containment order and whether persistence or lateral-movement claims are supported by evidence. His administrator note is concrete: isolate the host or segment first, protect logs and network telemetry, then rebuild, rotate or patch only within the scope supported by the 1 corroborating source, the same cautious sequence he would use around managed router and server environments.

Review our editorial policy or send corrections to [email protected].

Active threat. The incident should still be treated as active until confirmed mitigation or patch adoption is verified.

A stealthy backdoor embedded in the widely used Quick Page/Post Redirect WordPress plugin has enabled arbitrary code execution on affected sites for nearly five years. Users are urged to audit their installations and update immediately.

GLOBAL, May 1, 2026, 17:39 UTC

A long-hidden backdoor in the Quick Page/Post Redirect WordPress plugin has allowed attackers to inject arbitrary code into websites for almost five years, security researchers reported.

The plugin, which facilitates URL redirects within posts, pages, and custom URLs, was compromised with a stealthy backdoor that went unnoticed since around 2021. This vulnerability effectively gave threat actors remote code execution capabilities on sites using the plugin.

Quick Page/Post Redirect is widely deployed across WordPress sites, making this a significant risk vector. The backdoor’s longevity means numerous websites may have been exposed to unauthorized access or manipulation over an extended period.

Security analysts from BleepingComputer first disclosed the issue after uncovering the malicious code embedded deep within the plugin’s files. The backdoor allowed attackers to push arbitrary PHP code, bypassing typical security controls.

This flaw underscores the risks of supply chain attacks in the WordPress ecosystem, where popular plugins can become attack vectors if vetting and monitoring are insufficient.

Site administrators are advised to immediately check their WordPress installations for the Quick Page/Post Redirect plugin and update to the latest clean version. Removing the compromised plugin and scanning for signs of intrusion is critical.

Failure to address this vulnerability could lead to data breaches, site defacements, or the deployment of further malware. Given the plugin’s role in managing redirects, attackers could also manipulate traffic to malicious sites.

WordPress users should also consider strengthening overall security hygiene, including enforcing strong credentials, limiting plugin use, and employing web application firewalls.

The incident highlights the importance of continuous monitoring and auditing of third-party components in web infrastructure. Even trusted plugins can harbor hidden threats that persist undetected for years.

No official statement from the plugin’s developers has been publicly released as of this writing. The WordPress security community continues to investigate the full scope of affected sites.

Site owners unsure about their exposure should consult cybersecurity professionals to conduct thorough forensic analysis and remediation.

This case adds to a growing list of supply chain compromises targeting content management systems, emphasizing the need for vigilance and rapid response to emerging threats.

https://www.scworld.com/brief/arbitrary-code-pushed-by-long-concealed-backdoor-in-widely-used-wordpress-redirect-add-on

Sources used for this article

scmagazine.com

Related alerts

Recommended next steps

Readers following this malware alerts story usually need both context and action. Use the tools and recovery pages below to verify exposure, secure accounts and document the incident path.

Scam Checker for Suspicious Messages

Paste suspicious text to review social-engineering markers, urgency patterns and the safest next steps before you interact with the message.

Open guide

Identity Theft Recovery Planner

The planner converts identity-theft exposure into a 24-hour, 72-hour and 7-day response checklist with fraud reporting, documentation and account-hardening priorities.

Open guide

Breach Exposure Checker for Email and Password Reuse Risk

The breach checker turns a suspected exposure into a prioritized action plan covering credential rotation, MFA hardening, account review, fraud monitoring and evidence capture.

Open guide

Incident Report Intake

The incident intake form helps HackWatch collect early reader signals so new phishing and fraud clusters can be reviewed faster and escalated into coverage.

Open guide

Payment fraud alerts

Review invoice scams, wire-fraud attempts, bank impersonation campaigns and payment-diversion coverage.

Open incident hub

Malware alerts

Explore the dedicated category archive to review similar incidents, compare tactics and find additional response coverage tied to this incident type.

Open category archive
Marcin Pocztowski

Real reviewer profile

Marcin Pocztowski

Infrastructure Security Editor at HackWatch.io

Open reviewer profile

Marcin Pocztowski is the owner of MMPS and an infrastructure security editor for HackWatch. His public technical record spans 20 years, from Security+ evidence dated January 2006 through Juniper, Cisco and RHCSA records, and he reviews server, network and vulnerability-response coverage for source accuracy and practical remediation.

Infrastructure Security Editor: technical-density, source-existence and remediation-logic review for infrastructure and vulnerability coverage.

Coverage focus: Server and network hardening, vulnerability response, patch prioritization and infrastructure security review

Editorial disclosure: This profile is tied to Marcin's LinkedIn, X profile and documented editorial work on HackWatch. Historical certificates are treated as background evidence only, not as current active credentials.

Marcin leads this malware alerts coverage lane at HackWatch. This article is maintained as part of the ongoing editorial watch around "Backdoor in Popular WordPress Redirect Plugin Allowed Five Years of Arbitrary Code Injection".

Technical review: Security+ evidence | RHCSA evidence | JNCIS-SEC evidence

Server and network infrastructure administrationKnown exploited vulnerabilities and patch prioritizationCVSS v4.0 and CISA KEV triage