A maximum-severity safety flaw in a WordPress plugin referred to as Modular DS has come below energetic exploitation within the wild, in line with Patchstack.
The vulnerability, tracked as CVE-2026-23550 (CVSS rating: 10.0), has been described as a case of unauthenticated privilege escalation impacting all variations of the plugin previous to and together with 2.5.1. It has been patched in model 2.5.2. The plugin has greater than 40,000 energetic installs.
“In variations 2.5.1 and under, the plugin is susceptible to privilege escalation, on account of a mix of things together with direct route choice, bypassing of authentication mechanisms, and auto-login as admin,” Patchstack stated.
The issue is rooted in its routing mechanism, which is designed to place sure delicate routes behind an authentication barrier. The plugin exposes its routes below the “/api/modular-connector/” prefix.
Nevertheless, it has been discovered that this safety layer could be bypassed each time the “direct request” mode is enabled by supplying an “origin” parameter set to “mo” and a “sort” parameter set to any worth (e.g., “origin=mo&sort=xxx”). This causes the request to be handled as a Modular direct request.
“Subsequently, as quickly as the location has already been linked to Modular (tokens current/renewable), anybody can cross the auth middleware: there isn’t a cryptographic hyperlink between the incoming request and Modular itself,” Patchstack defined.
“This exposes a number of routes, together with /login/, /server-information/, /supervisor/, and /backup/, which permit varied actions to be carried out, starting from distant login to acquiring delicate system or person information.”
On account of this loophole, an unauthenticated attacker can exploit the “/login/{modular_request}” path to get administrator entry, leading to privilege escalation. This might then pave the best way for a full website compromise, allowing an attacker to introduce malicious modifications, stage malware, or redirect customers to scams.
In response to particulars shared by the WordPress safety firm, assaults exploiting the flaw are stated to have been first detected on January 13, 2026, at round 2 a.m. UTC, with HTTP GET calls to the endpoint “/api/modular-connector/login/” adopted by makes an attempt to create an admin person.
The assaults have originated from the next IP addresses –
In gentle of energetic exploitation of CVE-2026-23550, customers of the plugin are suggested to replace to a patched model as quickly as attainable.
“This vulnerability highlights how harmful implicit belief in inside request paths could be when uncovered to the general public web,” Patchstack stated.
“On this case, the problem was not attributable to a single bug, however by a number of design selections mixed collectively: URL-based route matching, a permissive ‘direct request’ mode, authentication primarily based solely on the location connection state, and a login movement that mechanically falls again to an administrator account.”
Modular DS can be recommending customers to overview their websites for indicators of compromise, comparable to sudden admin customers or suspicious requests from automated scanners, and, if discovered, carry out the steps under –
- Regenerate WordPress salts to invalidate all current periods
- Regenerate OAuth credentials
- Scan the location for malicious plugins, recordsdata, or code
“The vulnerability was positioned in a customized routing layer extending Laravel’s route matching performance,” the maintainers of the plugin stated. “The route matching logic was overly permissive, permitting crafted requests to match protected endpoints with out correct authentication validation.”
