Source: Security.NL
A security researcher has reportedly discovered two backdoors hidden inside the WordPress plugin 'Quick Page/Post Redirect', according to Security.NL. The plugin, which allows WordPress websites to redirect URLs to other locations, had more than 70,000 active installations at the time of discovery. WordPress.org has taken the plugin offline and says it is investigating the matter.
According to Security.NL, researcher Austin Ginder identified two separate problems inside the plugin. The first backdoor reportedly allows malicious content to be injected into affected WordPress websites, possibly to generate SEO spam. The second backdoor causes the plugin to install updates from a specific external domain, which could allow attackers to run code on your website remotely.
Austin Ginder's analysis reportedly suggests the malicious code was added in 2021, though this has not been independently verified. It is not currently known whether the backdoors were placed there by the plugin's developer or by a third party. It is also not confirmed whether any websites were actually compromised as a result.
WordPress.org has removed the plugin from its directory and is conducting an investigation. WordPress administrators are being urged to remove 'Quick Page/Post Redirect' from their websites immediately.
Because this report comes from a secondary news source rather than an official statement, some details may change as the investigation continues. It is worth keeping an eye on further updates from WordPress.org directly.
If you run a WordPress website and have the 'Quick Page/Post Redirect' plugin installed, you should remove it as soon as possible. This situation is a good reminder to regularly review which plugins are active on your site and to remove any you no longer use or recognise. You can find practical steps in our security checklist for small businesses and our guide on vulnerable WordPress plugins.
Free website scan covering GDPR, copyright, accessibility, security, and more.
Start free checkA new vulnerability (CVE-2026-29202) in cPanel and WHM allows an authenticated attacker to execute arbitrary Perl code on the underlying machine.
The UK National Cyber Security Centre (NCSC) warned organisations and users about an unprecedented wave of vulnerabilities driven by AI tools capable of finding and exploiting security flaws at scale.
An NCSC-NL advisory page (NCSC-2026-0134) was accessed but only returned a redirect message with no substantive content.