A technical analysis by Patchstack reported that a maximum-severity vulnerability in the WordPress plugin Modular DS is under active exploitation. The flaw is tracked as CVE-2026-23550 with a CVSS score of 10.0 and affects versions up to 2.5.1. The plugin has more than 40,000 active installs.
KEY FACTS
- Incident Unauthenticated privilege escalation exploited in the wild
- CVE CVE-2026-23550, CVSS 10.0
- Affected All versions up to and including 2.5.1
- Patch Fixed in version 2.5.2
- Installs More than 40,000 active sites
The vulnerability allows an unauthenticated attacker to escalate privileges to administrator and can lead to full site compromise including code changes malware staging or redirects.
The issue stems from the plugin routing under the /api/modular-connector/ prefix. When direct request mode is enabled a request supplying origin=mo and any type value is treated as a Modular direct request and bypasses authentication. That behavior can expose endpoints such as /login/ /server-information/ /manager/ and /backup/.
Active exploitation was first observed on January 13 2026 with HTTP GET calls to /api/modular-connector/login/ followed by attempts to create an admin user. Attacks were seen from IP addresses 45.11.89.19 and 185.196.0.11. The plugin was patched in version 2.5.2 in the vendor advisory.
Users are advised to update immediately and to review sites for signs of compromise. Recommended steps include regenerating WordPress salts to invalidate sessions regenerating OAuth credentials and scanning for malicious plugins files or code.
WHY IT MATTERS
An unauthenticated privilege escalation with a CVSS score of 10.0 can give attackers full control of WordPress sites and affect a large number of installations. Applying the patch and performing a site review reduce the immediate risk.