A critical WordPress security vulnerability has been discovered in the popular Modular DS plugin, and it is already being actively exploited by attackers in the wild. Security researchers from Patchstack have confirmed that hackers are abusing the flaw to gain administrator-level access to vulnerable WordPress websites.
The vulnerability is tracked as CVE-2026-23550 and carries the maximum CVSS score of 10.0, indicating extreme severity. All versions of the Modular DS plugin up to and including version 2.5.1 are affected. The issue has been fixed in version 2.5.2, and users are strongly advised to update immediately.
With more than 40,000 active installations, this WordPress plugin vulnerability poses a serious risk to website owners, businesses, and hosting providers.
Modular DS is a WordPress plugin designed to help site owners manage and connect their websites to external services using a modular connector system. To do this, the plugin exposes several API routes that allow remote management, login handling, backups, and system information access.
These routes are available under the URL path
While this design helps with automation and integration, it also introduced a dangerous security weakness due to poor access control and trust assumptions.
According to Patchstack, the vulnerability is an unauthenticated privilege escalation flaw. This means an attacker does not need a username or password to exploit it.
In affected versions, the plugin allows attackers to bypass authentication by abusing a feature called “direct request mode.” This mode was intended for trusted internal requests but was mistakenly exposed to the public internet.
Attackers can send a crafted HTTP request containing specific parameters:
-
origin=mo -
type=any_value
For example:
When these parameters are included, the plugin treats the request as a trusted Modular direct request, even though it comes from an external attacker.
Patchstack explained that there is no cryptographic verification to confirm that the request actually comes from Modular’s infrastructure. As a result, anyone can bypass the authentication middleware once the site is connected to Modular and has valid tokens stored.
Due to this bypass, multiple sensitive API routes become accessible without authentication, including:
-
/login/ -
/server-information/ -
/manager/ -
/backup/
These endpoints allow attackers to perform dangerous actions, such as:
-
Logging in remotely
-
Accessing server and system information
-
Viewing user details
-
Managing site configurations
-
Triggering backup-related functions
The most serious issue lies with the /login/ endpoint.
By exploiting the /login/{modular_request} route, attackers can automatically log in as an administrator. This leads to full privilege escalation, giving complete control over the WordPress site.
Once admin access is gained, attackers can:
-
Create new admin accounts
-
Upload malicious plugins or backdoors
-
Modify website content
-
Inject malware or spam
-
Redirect visitors to phishing or scam sites
-
Steal sensitive user data
-
Completely take over the website
In short, this vulnerability can result in a full site compromise.
Patchstack confirmed that exploitation attempts began on January 13, 2026, at around 2:00 a.m. UTC.
Attackers were seen sending HTTP GET requests to the following endpoint:
After successfully exploiting the flaw, attackers attempted to create new administrator users, a common tactic to maintain persistent access.
The malicious activity originated from the following IP addresses:
45.11.89[.]19
185.196.0[.]11
Website owners and security teams should check their logs for requests from these IPs and investigate any suspicious admin activity.
Patchstack emphasized that this issue is not caused by a single coding mistake. Instead, it is the result of multiple risky design choices combined together, including:
URL-based route matching
Overly permissive “direct request” mode
Authentication based only on connection state
Automatic admin login fallback
Lack of cryptographic request validation
This case highlights how implicit trust in internal routes can become extremely dangerous when exposed to the public internet.
If you are using the Modular DS plugin, take the following steps immediately:
Update the plugin to version 2.5.2 or later
Review WordPress admin user accounts for suspicious additions
Check server and access logs for unusual API requests
Change all administrator passwords
Enable a Web Application Firewall (WAF)
Monitor your site for unexpected changes or redirects
Delaying the update could leave your site open to active attacks.
The CVE-2026-23550 WordPress vulnerability is a serious reminder that even widely used plugins can introduce critical security risks. With active exploitation already confirmed, this flaw represents an urgent threat to thousands of WordPress websites worldwide.
Keeping plugins updated, minimizing exposed API endpoints, and following secure design principles are essential to protecting WordPress sites from modern attacks.
Interesting Article : Microsoft Fixes 114 Windows Bugs: January 2026 Patch Tuesday
Pingback: Think LinkedIn Is Safe? Hackers Are Using It to Spread Malware