Source: Security.NL
A security researcher has reportedly discovered two backdoors hidden inside the WordPress plugin 'Quick Page/Post Redirect', according to Security.NL. The plugin, which allows WordPress websites to redirect URLs to other locations, had more than 70,000 active installations at the time of discovery. WordPress.org has taken the plugin offline and says it is investigating the matter.
According to Security.NL, researcher Austin Ginder identified two separate problems inside the plugin. The first backdoor reportedly allows malicious content to be injected into affected WordPress websites, possibly to generate SEO spam. The second backdoor causes the plugin to install updates from a specific external domain, which could allow attackers to run code on your website remotely.
Austin Ginder's analysis reportedly suggests the malicious code was added in 2021, though this has not been independently verified. It is not currently known whether the backdoors were placed there by the plugin's developer or by a third party. It is also not confirmed whether any websites were actually compromised as a result.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA critical authentication bypass vulnerability (CVE-2026-41940) in cPanel and WHM is being actively exploited, with security updates available since 28 April 2026 and exploitation reportedly…
WordPress.org has removed the plugin from its directory and is conducting an investigation. WordPress administrators are being urged to remove 'Quick Page/Post Redirect' from their websites immediately.
Because this report comes from a secondary news source rather than an official statement, some details may change as the investigation continues. It is worth keeping an eye on further updates from WordPress.org directly.
If you run a WordPress website and have the 'Quick Page/Post Redirect' plugin installed, you should remove it as soon as possible. This situation is a good reminder to regularly review which plugins are active on your site and to remove any you no longer use or recognise. You can find practical steps in our security checklist for small businesses and our guide on vulnerable WordPress plugins.
More than 44,000 cPanel and WHM installations have very likely been hacked via a new critical vulnerability identified as CVE-2026-41940, according to The Shadowserver Foundation.
The French DPA (CNIL) imposed a fine of 3.5 million euros on an unnamed French company on 30 December 2025, partly for using SHA-256 for password hashing instead of a more secure algorithm like…