Critical Vulnerability in WordPress Modular DS Plugin Allows Unauthorized Admin Access
A critical security vulnerability has been identified in the WordPress plugin Modular DS, which has over 40,000 active installations. This flaw, designated as CVE-2026-23550 with a maximum CVSS score of 10.0, enables unauthenticated attackers to escalate their privileges to administrator levels, potentially leading to full site compromise. The issue affects all versions up to and including 2.5.1 and has been addressed in version 2.5.2.
The vulnerability stems from the plugin’s routing mechanism, which is intended to secure certain routes behind authentication barriers. However, this security measure can be bypassed when the direct request mode is enabled. By supplying an origin parameter set to mo and a type parameter with any value (e.g., origin=mo&type=xxx), the request is treated as a direct Modular request, circumventing authentication. This exposes several sensitive routes, including /login/, /server-information/, /manager/, and /backup/, allowing unauthorized actions such as remote login and access to sensitive system or user data.
Exploitation of this flaw allows attackers to gain administrator access via the /login/{modular_request} route, leading to privilege escalation. This could result in a complete site takeover, enabling malicious changes, malware deployment, or user redirection to fraudulent sites.
Patchstack reported that attacks exploiting this vulnerability were first detected on January 13, 2026, around 2 a.m. UTC. These attacks involved HTTP GET requests to the /api/modular-connector/login/ endpoint, followed by attempts to create an admin user. The attacks originated from the IP addresses 45.11.89[.]19 and 185.196.0[.]11.
In response to active exploitation, users of the Modular DS plugin are strongly advised to update to version 2.5.2 immediately. This incident underscores the risks associated with implicit trust in internal request paths exposed to the public internet. The issue resulted from multiple design choices, including URL-based route matching, a permissive ‘direct request’ mode, authentication based solely on site connection state, and a login flow that defaults to an administrator account.
Modular DS recommends users review their sites for signs of compromise, such as unexpected admin users or suspicious requests from automated scanners. If any are found, the following steps should be taken:
– Regenerate WordPress salts to invalidate all existing sessions.
– Regenerate OAuth credentials.
– Scan the site for malicious plugins, files, or code.
The vulnerability was located in a custom routing layer extending Laravel’s route matching functionality. The overly permissive route matching logic allowed crafted requests to access protected endpoints without proper authentication validation.
