WordPress plugin hijacked in 2020 hid a dormant backdoor for years
Twelve sites in our fleet were running a tampered version 5.2.3 of Quick Page/Post Redirect Plugin. The file hash did not match anything on wordpress.org. The SVN log showed the plugin author committed the supply chain mechanism themselves.
Opening excerpt (first ~120 words) tap to expand
My security finder sent me a routine alert. One of the plugins in our fleet had a known issue. Quick Page/Post Redirect Plugin, version 5.2.3. I ran a fleet query. Twelve sites on it. I have run hundreds of security audits since using Claude Code. Most of them end with “plugin is fine, keep it updated.” This one did not. The version that was not the WordPress.org version. Every site reported plugin version 5.2.3 to WP-CLI. I pulled one of the files over SSH and ran md5sum. The hash came back as ad717da18cf8a2b69899c0d7dafee05a. I ran the same command against every version of the plugin available on wordpress.org. Downloaded 5.1.5 through 5.2.4 directly from the SVN tags. None of them produced that hash. The 5.2.3 on the twelve sites was not the 5.2.3 on wordpress.org.Same version string.
…
Excerpt limited to ~120 words for fair-use compliance. The full article is at Anchor Hosting.
Discussion
0 commentsMore from Anchor Hosting
