Severe WordPress Modular DS Plugin Vulnerability is Actively Exploited to Obtain Admin Access -

Post Views: 72

Severe WordPress Modular DS Plugin Vulnerability is Actively Exploited to Obtain Admin Access

Tracked as CVE-2026-23550 (CVSS score: 10.0), the vulnerability has been characterized as an instance of unauthenticated privilege escalation affecting all plugin versions before and including 2.5.1. Version 2.5.2 has a fix for it. There are currently over 40,000 active installs of the plugin.

“The plugin is susceptible to privilege escalation in versions 2.5.1 and lower because of a number of variables, such as auto-login as admin, circumventing authentication procedures, and direct route selection,” according to Patchstack.

Its routing technique, which is intended to place some critical routes behind an authentication barrier, is the source of the issue. The plugin uses the prefix “-api/modular-connector” to expose its routes.

However, it has been discovered that by providing a “origin” parameter set to “mo” and a “type” parameter set to any value (e.g., “origin=mo&type=xxx”), this security layer can be circumvented each time the “direct request” option is enabled.

“As a result, the request is handled as a modular direct request. Because there is no cryptographic connection between the incoming request and Modular itself, anyone can pass the auth middleware once the site has previously been linked to Modular (tokens present/renewable),” according to Patchstack.

“This exposes a number of routes, such as /login/, /server-information/, /manager/, and /backup/, which enable a variety of operations, from acquiring sensitive system or user data to remote login.”

This vulnerability allows an unauthorized attacker to obtain administrator access using the “.login/{modular_request]” route, leading to privilege escalation. This might then lead to a full site hack, which would allow an attacker to stage malware, make harmful changes, or reroute users to fraudulent websites.

Attacks taking advantage of the vulnerability are reported to have been discovered on January 13, 2026, at approximately 2 a.m. UTC, according to information provided by the WordPress security company. Attempts to create an admin user were followed by HTTP GET calls to the endpoint “.api/modular-connector/login.”

The attacks have originated from the following IP addresses –

Users are urged to update to a patched version of the plugin as soon as feasible due to the active exploitation of CVE-2026-23550.

According to Patchstack, “This vulnerability demonstrates how risky implicit trust in internal request paths can be when exposed to the public internet.”

“In this instance, a number of design decisions—including URL-based route matching, a permissive “direct request” mode, authentication based solely on the site connection state, and a login flow that automatically reverts to an administrator account—combined to produce the problem rather than a single bug.”

Additionally, Modular DS advises users to check their websites for indications of compromise, such as unexpected admin users or questionable requests from automated scanners, and to take the following actions if they are discovered:

To invalidate all current sessions, regenerate WordPress salts.
Regenerate your OAuth login information
Check the website for harmful files, plugins, or scripts.

According to the plugin’s maintainers, “the vulnerability was found in a custom routing layer that extended Laravel’s route matching functionality. The route matching logic was overly permissive, allowing crafted requests to match protected endpoints without proper authentication validation.”

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

CSA XCon’26: 11-14 Mar, Himalayan Cultural Center, Dehradun 2026