Full Report
A maximum-severity security flaw in a WordPress plugin called Modular DS has come under active exploitation in the wild, according to Patchstack. The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), has been described as a case of unauthenticated privilege escalation impacting all versions of the plugin prior to and including 2.5.1. It has been patched in version 2.5.2. The plugin
Analysis Summary
# Vulnerability: Unauthenticated Privilege Escalation in WordPress Modular DS Plugin
## CVE Details
- CVE ID: CVE-2026-23550
- CVSS Score: 10.0 (Critical)
- CWE: Insufficient Authorization (Implied by unauthenticated access/privilege escalation)
## Affected Systems
- Products: WordPress Plugin - Modular DS
- Versions: All versions prior to and including 2.5.1
- Configurations: Any site with the plugin installed where the "direct request" mode is enabled (enabled by default or configured).
## Vulnerability Description
The Modular DS plugin contains a critical flaw rooted in its external route handling mechanism located under the `/api/modular-connector/` prefix. By sending a request with specific parameters (`origin=mo` and `type=any_value`), an attacker can bypass the authentication middleware, provided the site is already connected to Modular (tokens present). This bypass allows access to previously protected administrative routes such as `/login/`, `/manager/`, and `/backup/`. Exploiting the `/login/{modular_request}` route results in **unauthenticated privilege escalation to administrator level**.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low (Prerequisites: Tokens must be present/renewable on the site)
- Attack Vector: Network
## Impact
- Confidentiality: High (Access to sensitive system or user data, e.g., via `/server-information/` route)
- Integrity: High (Ability to perform administrative actions, introduce malicious changes, stage malware)
- Availability: Medium (Potential denial of administrative access or site disruption)
## Remediation
### Patches
- Modular DS version 2.5.2 and later addresses the flaw.
### Workarounds
- Restrict access to the plugin endpoints via WAF or network rules if upgrading is immediately impossible.
- Consider temporarily disabling the plugin if immediate patching is not feasible, given active exploitation.
## Detection
- **Indicators of Compromise (IOCs):** Look for HTTP GET requests to the endpoint `/api/modular-connector/login/` followed by attempts to create administrative users.
- **Detection Methods and Tools:** Monitor web server and application logs for requests matching the malicious parameter structure (`origin=mo&type=xxx`) directed at plugin endpoints. Security monitoring tools covering WordPress endpoints should flag unusual unauthenticated access to administrative functions.
## References
- Patchstack Advisory: hxxps://patchstack{dot}com/articles/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild/
- Exploitation Reports: The Hacker News (Source Article)