A high-severity security vulnerability in the WordPress plugin Modular DS is currently being exploited in the wild, according to cybersecurity firm Patchstack. The flaw, identified as CVE-2026-23550 with a CVSS score of 10.0, allows unauthenticated attackers to escalate privileges and gain administrator access on affected sites.
The vulnerability impacts all versions of Modular DS up to 2.5.1 and has been patched in version 2.5.2. The plugin, which has over 40,000 active installations, exposes sensitive routes through a custom routing layer under the /api/modular-connector/ prefix.
Patchstack explained that the issue stems from the plugin’s routing mechanism combined with a permissive “direct request” mode. By supplying specific parameters—origin=mo&type=xxx—an attacker can bypass authentication checks and access protected endpoints, including /login/, /server-information/, /manager/, and /backup/.
This flaw enables attackers to exploit the /login/{modular_request} route to create admin accounts or perform other high-privilege actions. Once exploited, a full site compromise is possible, allowing malicious actors to inject code, deploy malware, or redirect visitors to fraudulent websites.
According to Patchstack, attacks exploiting CVE-2026-23550 were first observed on January 13, 2026, at around 2 a.m. UTC, originating from IP addresses 45.11.89[.]19 and 185.196.0[.]11, targeting the login endpoint to create unauthorized admin users.
The vulnerability arises from a combination of design decisions, including:
- Overly permissive URL-based route matching
- Direct request mode that bypasses standard authentication
- Authentication based solely on site connection state
- Automatic fallback to administrator login for certain routes
Modular DS maintainers confirmed that the issue originated in a custom routing layer extending Laravel’s route matching functionality, which allowed crafted requests to access protected endpoints without proper verification.
Mitigation and Recommendations:
Patchstack and the plugin maintainers urge site administrators to:
- Update Modular DS to version 2.5.2 or later immediately.
- Check for signs of compromise, such as unexpected admin accounts or unusual automated requests.
- Regenerate WordPress salts to invalidate existing sessions.
- Regenerate OAuth credentials for connected services.
- Scan the site for malicious plugins, files, or injected code.
“This vulnerability highlights the dangers of implicit trust in internal request paths exposed to the public internet,” Patchstack warned. Administrators are strongly advised to ensure all security patches are applied promptly to prevent exploitation.
