The Quick Page/Post Redirect plugin, installed on more than 70,000 WordPress sites, had a backdoor added five years ago that allows injecting arbitrary code into users’ sites.

The malware was uncovered by Austin Ginder, the founder of WordPress hosting provider Anchor, who found it after 12 infected sites on his fleet triggered a security alert.

Quick Page/Post Redirect plugin, available on WordPress.org for several years, is a basic utility plugin used for creating redirects in posts, pages, and custom URLs.