A critical security vulnerability found in the WordPress plugin Modular DS is currently being actively exploited, as reported by Patchstack.
This flaw, identified as CVE-2026-23550 with a CVSS score of 10.0, is an unauthenticated privilege escalation issue. It affects all versions of the Modular DS plugin up to and including 2.5.1. A fix has been released in version 2.5.2. The plugin is used on over 40,000 active WordPress sites.
Patchstack explained that versions 2.5.1 and earlier of the plugin are susceptible to privilege escalation. This is due to several factors, including direct route selection, the ability to bypass authentication, and an automatic login feature for administrators.
The core of the issue lies within the plugin’s routing system. While designed to protect sensitive routes with authentication, the plugin exposes its routes via the “/api/modular-connector/” prefix.
However, this security measure can be circumvented when the “direct request” mode is activated. This occurs by providing an “origin” parameter set to “mo” and any value for the “type” parameter (for example, “origin=mo&type=xxx”), which then processes the request as a Modular direct request.
Patchstack clarified that once a site is connected to Modular (meaning tokens are present or renewable), any user can bypass the authentication middleware. This is because there is no cryptographic validation between the incoming request and Modular itself.
This exposure makes several routes vulnerable, such as /login/, /server-information/, /manager/, and /backup/. These routes enable various unauthorized actions, from remote logins to the retrieval of sensitive system or user information.
Consequently, an attacker without authentication can exploit the “/login/{modular_request}” route to gain administrator access, leading to privilege escalation. This could potentially result in a complete site compromise, allowing the attacker to implement malicious modifications, host malware, or redirect visitors to fraudulent sites.
The WordPress security firm reported that initial attacks leveraging this flaw were observed on January 13, 2026, around 2 a.m. UTC. These attacks involved HTTP GET requests to the “/api/modular-connector/login/” endpoint, subsequently followed by efforts to create a new administrative user.
The attacks have been traced back to the following IP addresses:
Given the ongoing exploitation of CVE-2026-23550, users of the Modular DS plugin are strongly advised to update to the patched version without delay.
Patchstack emphasized that this vulnerability demonstrates the risks associated with implicitly trusting internal request paths when they are accessible from the public internet.
The issue did not stem from a single error but rather from a combination of design decisions: URL-based route matching, an overly permissive “direct request” mode, authentication relying solely on the site’s connection status, and a login process that defaults to an administrator account.
Modular DS also recommends that users inspect their sites for any indicators of compromise, such as unauthorized administrative users or unusual requests from automated scanners. If compromise is detected, the following steps should be taken:
- Regenerate WordPress salts to invalidate all current sessions.
- Regenerate OAuth credentials.
- Scan the site for any malicious plugins, files, or code.
The plugin’s maintainers stated that the vulnerability resided within a custom routing layer that extended Laravel’s route matching capabilities. The route matching logic was too permissive, enabling specially crafted requests to access protected endpoints without adequate authentication validation.
