Security Alert: Critical Vulnerability in Modular DS WordPress Plugin
Jan 15, 2026Ravie LakshmananWeb Security / Vulnerability
A significant and critical security vulnerability in the Modular DS plugin for WordPress has emerged, leading to active exploitation in various environments, as reported by Patchstack.
This flaw, identified as CVE-2026-23550, bears a harrowing CVSS score of 10.0, indicating its maximum severity.
The issue encompasses all versions of the plugin prior to and including 2.5.1, with remediation provided in the recently released version 2.5.2. The plugin boasts a substantial user base, with over 40,000 active installations.
According to Patchstack, the crux of this vulnerability relates to an unauthenticated privilege escalation due to several factors.
These include direct route accessibility, authentication bypass techniques, and an auto-login functionality set for administrator accounts.
At the heart of the issue is the routing architecture, which ostensibly places certain critical routes behind a façade of authentication barriers. These routes are exposed beneath the “/api/modular-connector/” prefix.
However, a troubling discovery has been made that this protective layer can be circumvented whenever the “direct request” option is enabled.
By simply supplying an “origin” parameter set to “mo” and varying the “type” parameter (e.g., “origin=mo&type=xxx”), the request is illegitimately categorized as a Modular direct request.
Patchstack elaborates, “Once a site has established a connection to Modular (with tokens either present or renewable), any individual can traverse the authentication middleware. There exists no cryptographic linkage between incoming requests and Modular itself.”
This vulnerability reveals multiple exposed routes, such as /login/, /server-information/, /manager/, and /backup/, which enable a range of actions from remote login capabilities to access to sensitive system or user data.
Consequently, an attacker lacking authentication can exploit the “/login/{modular_request}” route to gain administrator privileges, ultimately facilitating a complete site compromise.
This breach could enable adversaries to implement malicious modifications, introduce malware, or misdirect users toward fraudulent schemes.
As per intelligence shared by the security firm, the first instances of attacks harnessing this vulnerability were observed on January 13, 2026, around 2 a.m. UTC.
These attacks manifest through HTTP GET requests aimed at the “/api/modular-connector/login/” endpoint, immediately followed by attempts to establish an administrative account.
In view of active exploitation associated with CVE-2026-23550, it is imperative that users of the Modular DS plugin promptly update to the patched version to mitigate risks.
Patchstack cautions, “This vulnerability underscores the peril inherent in placing implicit trust in internal request paths when exposed to the public internet.”
The predicament was not solely the result of a singular defect; rather, it stemmed from a confluence of design decisions: URL-based route matching, a permissive ‘direct request’ mode, authentication predicated solely on site connection status, and a login process that defaults to an administrator account.
Source link: Thehackernews.com.
