Actively exploited critical flaw in Modular DS WordPress plugin enables admin takeover

A critical Modular DS WordPress flaw (CVE-2026-23550) is actively exploited, enabling unauthenticated privilege escalation.

Threat actors are actively exploiting a critical Modular DS WordPress vulnerability tracked as CVE-2026-23550 (CVSS score of 10).

Modular DS is a WordPress plugin with over 40,000 installs that helps manage multiple sites, enabling monitoring, updates, and remote administration.

In plugin versions 2.5.1 and earlier, the flaw allows attackers to escalate privileges by abusing direct route access, bypassing authentication checks and triggering automatic admin login.

“In versions 2.5.1 and below, the plugin is vulnerable to privilege escalation, due to a combination of factors including direct route selection, bypassing of authentication mechanisms, and auto-login as admin.” reads the report published by cybersecurity firm Patchstack.

The plugin exposes API routes under /api/modular-connector/ protected by an auth middleware, but authentication can be bypassed via a flawed isDirectRequest() check. By simply setting origin=mo and a type parameter, requests are treated as trusted “direct” requests without any signature, secret, IP, or User-Agent validation. If the site is already connected to Modular, attackers can access sensitive routes (e.g., login, system info, backups), enabling unauthorized actions and data access.

“There is no verification of a signature, secret, IP, or mandatory User-Agent: the simple pair origin=mo&type=xxx is enough for the request to be considered as a Modular direct request.” continues the report. “As well, when the request is considered “direct”, the auth middleware in vendor/ares/framework/src/Foundation/Auth/ModularGuard.php only checks if the site is connected to Modular via the validateOrRenewAccessToken() function.”

Once a site is connected to Modular, missing cryptographic validation lets anyone bypass auth middleware, exposing routes like /login and /backup for remote access and data theft.

The issue was fixed in v2.5.2 by removing URL-based route matching, adding a default 404 route, and restricting route binding to recognized request types only.

Security researchers say attacks began on January 13, 2026, targeting the plugin’s login API to gain admin access and create new admin users. The activity came from two known IP addresses (45.11.89[.]19, 185.196.0[.]11). Users are strongly urged to update to the fixed version immediately to stay protected.

“This vulnerability highlights how dangerous implicit trust in internal request paths can be when exposed to the public internet,” Patchstack concludes. “In this case, the issue was not caused by a single bug, but by several design choices combined together: URL-based route matching, a permissive ‘direct request’ mode, authentication based only on the site connection state, and a login flow that automatically falls back to an administrator account.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Modular DS WordPress)