CyberSecurity News

Critical WordPress Plugin Exploit Grants Instant Admin Access

Attackers are actively exploiting a critical unauthenticated privilege escalation vulnerability in the Modular DS WordPress plugin. This severe flaw grants instant administrative access to affected...

Jennifer sherman
Jennifer sherman
January 15, 2026 2 Min Read
3 0

Attackers are actively exploiting a critical unauthenticated privilege escalation vulnerability in the Modular DS WordPress plugin. This severe flaw grants instant administrative access to affected WordPress sites, with in-the-wild exploitation confirmed.

Affecting over 40,000 sites, the flaw in versions up to 2.5.1 has prompted urgent patches and mitigations from Patchstack and the vendor.

Modular DS, developed by modulards.com, enables remote management of multiple WordPress sites, including monitoring, updates, and backups.

According to Patchstack, the core issue stems from a flaw in the plugin’s Laravel-like router at /api/modular-connector/.

Attackers can trigger “direct request” mode using origin=mo and any type parameter, evading auth middleware if the site is connected to Modular services.

This exposes protected routes like /login/{modular_request}, where the AuthController auto-logs in as an admin user via getAdminUser() if no user ID is specified. No signatures, secrets, or IP checks validate requests, chaining to full compromise via actions like cache clearing, backups, or plugin installs.

CVE ID CVSS v3.1 Score Severity Affected Versions Fixed Version
CVE-2026-23550 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) ​ Critical <= 2.5.1 2.5.2

Active Exploitation and IOCs

Attacks began January 13, 2026, around 2 AM UTC, targeting /api/modular-connector/login/ with origin=mo&type=foo. Successful exploits create backdoor admins named like “PoC Admin” with fake emails. Patchstack detected matching attempts post-mitigation deployment.

Attacker IP Notes
45.11.89[.]19 Initial scans
162.158.123[.]41 Login probes
172.70.176[.]95 Admin creation
172.70.176[.]52 Persistence attempts

Version 2.5.2 removes URL-based route matching, adds a default 404 fallback, and enforces type validation (request, oauth, lb) before binding routes. Patchstack’s mitigation rule automatically blocks exploits.

Modular DS users must update immediately; enable auto-updates for vulnerable plugins. Scan logs for IOCs and revoke suspicious admins. This incident underscores the risks of publicly exposed permissive internal routing and emphasizes the need for cryptographic request validation.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts