Absolute Compromise: 10.0 Flaw in Modular DS Plugin Grants Instant Admin Access

A critical vulnerability has been unearthed in the ubiquitous WordPress plugin Modular DS, which is currently being actively exploited in the wild by threat actors. This alarming discovery was disclosed by security firm Patchstack.

The flaw, designated as CVE-2026-23550, has been assigned a maximum severity score of 10.0 on the CVSS scale. This vulnerability empowers a remote, unauthenticated adversary to usurp administrative privileges over a target website. It affects all iterations of the plugin up to and including version 2.5.1, with a definitive remediation introduced in version 2.5.2. Currently, Modular DS is integrated into over 40,000 WordPress installations.

Security experts elucidate that the vulnerable versions harbor several deleterious architectural flaws. When synthesized, these defects permit the circumvention of authentication mechanisms, facilitating an autonomous login as an administrator. A pivotal role is played by a flawed routing system that, while intended to sequester sensitive functions, is easily circumvented in practice.

All API routes within the plugin are accessible via the path /api/modular-connector/. The protective layer can be neutralized by transmitting a request containing the parameters origin=mo and a type value of any description. Under these conditions, the system erroneously classifies the request as internal, bypassing authenticity verification entirely. Furthermore, the absence of cryptographic validation between incoming requests and the actual Modular service renders the security bypass trivial.

Consequently, critical routes such as /login/, /server-information/, /manager/, and /backup/ are exposed. These endpoints allow an attacker to remotely access the system, exfiltrate sensitive server and user data, and execute other hazardous operations. The most catastrophic scenario involves the /login/ route, which provides the adversary with absolute administrative dominion over the site.

Patchstack reports that the inaugural wave of attacks was documented on January 13, 2026, at approximately 02:00 UTC. Adversaries were observed dispatching GET requests to /api/modular-connector/login/ before attempting to create surreptitious administrative accounts. The assault utilized the IP addresses 45.11.89.19 and 185.196.0.11.

Upon seizing control, an attacker can inject malicious code, deface content, disseminate malware, or redirect traffic to fraudulent phishing domains—effectively achieving the total compromise of the WordPress environment.

In light of this ongoing exploitation, users of Modular DS are urgently exhorted to update to version 2.5.2 without delay. Patchstack underscores that this incident serves as a poignant illustration of the perils of implicit trust in internal routing when such pathways remain exposed to the public internet. In this instance, the vulnerability emerged not from a solitary oversight, but from a confluence of ill-conceived design choices that collectively precipitated a critical security catastrophe.