Critical WordPress Plugin Exploit Grants Instant Admin Access
Attackers are actively exploiting a critical unauthenticated privilege escalation vulnerability in the Modular DS WordPress plugin. This severe flaw grants instant administrative access to affected...
Attackers are actively exploiting a critical unauthenticated privilege escalation vulnerability in the Modular DS WordPress plugin. This severe flaw grants instant administrative access to affected WordPress sites, with in-the-wild exploitation confirmed.
Affecting over 40,000 sites, the flaw in versions up to 2.5.1 has prompted urgent patches and mitigations from Patchstack and the vendor.
Modular DS, developed by modulards.com, enables remote management of multiple WordPress sites, including monitoring, updates, and backups.
According to Patchstack, the core issue stems from a flaw in the plugin’s Laravel-like router at /api/modular-connector/.
Attackers can trigger “direct request” mode using origin=mo and any type parameter, evading auth middleware if the site is connected to Modular services.
This exposes protected routes like /login/{modular_request}, where the AuthController auto-logs in as an admin user via getAdminUser() if no user ID is specified. No signatures, secrets, or IP checks validate requests, chaining to full compromise via actions like cache clearing, backups, or plugin installs.
| CVE ID | CVSS v3.1 Score | Severity | Affected Versions | Fixed Version |
|---|---|---|---|---|
| CVE-2026-23550 | 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | Critical | <= 2.5.1 | 2.5.2 |
Active Exploitation and IOCs
Attacks began January 13, 2026, around 2 AM UTC, targeting /api/modular-connector/login/ with origin=mo&type=foo. Successful exploits create backdoor admins named like “PoC Admin” with fake emails. Patchstack detected matching attempts post-mitigation deployment.
| Attacker IP | Notes |
|---|---|
| 45.11.89[.]19 | Initial scans |
| 162.158.123[.]41 | Login probes |
| 172.70.176[.]95 | Admin creation |
| 172.70.176[.]52 | Persistence attempts |
Version 2.5.2 removes URL-based route matching, adds a default 404 fallback, and enforces type validation (request, oauth, lb) before binding routes. Patchstack’s mitigation rule automatically blocks exploits.
Modular DS users must update immediately; enable auto-updates for vulnerable plugins. Scan logs for IOCs and revoke suspicious admins. This incident underscores the risks of publicly exposed permissive internal routing and emphasizes the need for cryptographic request validation.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.