Security researchers have confirmed active exploitation of a critical vulnerability affecting the Modular DS WordPress plugin, allowing attackers to gain administrator level access without authentication. The issue has been disclosed by WordPress security firm Patchstack and is already being abused in real world attacks.
The vulnerability is tracked as CVE-2026-23550 and carries a maximum CVSS score of 10.0, indicating severe risk. It impacts all versions of the plugin up to and including version 2.5.1 and has been fixed in version 2.5.2. Modular DS currently has more than 40,000 active installations, significantly increasing the potential attack surface.
Technical Details of the Vulnerability
Patchstack explained that the flaw allows unauthenticated privilege escalation due to multiple weaknesses in the plugin’s internal design. These include insecure route handling, bypassable authentication checks, and an automatic administrator login mechanism.
The issue originates from the plugin’s routing system, which attempts to protect sensitive endpoints behind authentication controls. All routes are exposed under the /api/modular-connector/ path. However, attackers can bypass these protections when the plugin processes requests in direct request mode.
By supplying an origin parameter set to mo and a type parameter set to any value, the request is incorrectly classified as a trusted Modular request. This bypasses the authentication middleware entirely.
Exposed Routes and Privilege Escalation Risk
Once the authentication barrier is bypassed, several critical endpoints become accessible. These include routes for login, server information, management functions, and backups. Among them, the /login/{modular_request} endpoint can be abused to gain administrator access, leading directly to full site compromise.
Patchstack noted that the plugin relies solely on the site’s existing connection state to Modular and does not cryptographically verify incoming requests. As a result, any attacker can exploit the flaw as long as valid tokens exist on the site.
Active Exploitation Observed
According to Patchstack, exploitation attempts were first detected on January 13, 2026, around 02:00 UTC. Attackers issued HTTP GET requests to the /api/modular-connector/login/ endpoint and attempted to create new administrator accounts shortly afterward.
The attacks were observed originating from the following IP addresses:
Security Impact and Mitigation Guidance
Successful exploitation of this vulnerability allows attackers to fully compromise affected WordPress sites. This includes injecting malicious code, installing backdoors, redirecting visitors to scam pages, or distributing malware.
Users of the Modular DS plugin are strongly advised to update immediately to version 2.5.2. In addition, site owners should inspect their environments for indicators of compromise.
Recommended remediation steps include regenerating WordPress salts to invalidate existing sessions, rotating OAuth credentials, and performing a full scan for malicious plugins, files, or injected code.
Patchstack emphasized that the incident highlights the dangers of implicit trust in internal routing logic exposed to the public internet. The flaw resulted from multiple design decisions combined together rather than a single coding error.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
