If you use the WordPress 404 to 301 plugin, you will want to remove it, or at the very least update it.  Users discovered that the plugin is injecting paid links that are only visible to search engines.  So a site owner visiting their site would not see anything amiss, but checking it via a user agent switcher or using one of Google’s tools such as Fetch & Render will show these spam links.

For websites using this plugin, this could result in either a cloaking manual action (for showing links to search engines that are not visible to users) or possibly a hacked site alert and manual action in Google.

WordFence was the first to bring this issue to the attention of site owners, and noted it is installed on 70,000+ websites. And buried in the GNU that site owners agree to in order to use the plugin is the note that ads would be injected.

Third Party Text Links

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.

The plugin owner responded to state that he gave a third party permission to add a script that would track every visitor’s IP and user agent, along with credits.  He does not name the third party, nor is one listed as an author of the plugin.  However, the GNU clearly states that ads will be shown to search engines only, which is against Google’s webmaster guidelines and would put every site using this plugin at risk of a manual action from Google AND being removed from the Google search results.

Bottom line, site owners should remove this plugin, or update it to the newly released version (the plugin owner states has the ads and tracking removed).  However, it is definitely use at your own risk.