According to Patchstack, a maximum severity security flaw in a WordPress plugin called Modular DS is being exploited in the wild.
This vulnerability is tracked as CVE-2026-23550 (CVSS score: 10.0) and is described as a case of unauthenticated privilege escalation affecting all versions of the plugin prior to 2.5.1. Version 2.5.2 is patched. This plugin has over 40,000 active installations.
“Below version 2.5.1, the plugin is vulnerable to privilege escalation due to a combination of factors, including direct route selection, bypassing authentication mechanisms, and automatically logging in as an administrator,” Patchstack said.
The cause of this issue is a routing mechanism that is designed to put certain sensitive routes behind authentication barriers. The plugin exposes its routes with the “/api/modular-connector/” prefix.
However, it has been found that by setting the “origin” parameter to “mo” and the “type” parameter to any value (e.g. “origin=mo&type=xxx”), this security layer can be bypassed whenever “direct requests” are enabled. This causes the request to be treated as a modular direct request.
“So once a site is already connected to Modular (token exists/can be refreshed), anyone can pass through the authentication middleware. There is no cryptographic link between incoming requests and Modular itself,” Patchstack explained.
“This exposes multiple routes, such as /login/, /server-information/, /manager/, and /backup/, allowing a variety of actions to be performed, from remote logins to retrieving sensitive system and user data.”
This loophole could allow an unauthenticated attacker to gain administrative access by abusing the “/login/{modular_request}” route, resulting in privilege escalation. This opens the way for the entire site to be compromised, allowing attackers to introduce malicious changes, stage malware, or redirect users to scams.
According to details shared by the WordPress security firm, an attack exploiting this flaw was said to have first been detected on January 13, 2026 at approximately 2:00 AM UTC via an HTTP GET call to the endpoint “/api/modular-connector/login/” followed by an attempt to create an administrator user.
The attack originated from the following IP address –
Given the active exploitation of CVE-2026-23550, we recommend that users of the plugin update to a patched version as soon as possible.
“This vulnerability highlights how dangerous implicit trust in internal request paths can be when exposed to the public Internet,” Patchstack said.
“In this case, the issue was not caused by a single bug, but rather a combination of several design choices, including URL-based route matching, a permissive ‘direct request’ mode, authentication based solely on the site’s connectivity status, and a login flow that automatically falls back to an administrator account. ”
Source link
