A maximum-severe security flaw is said to be in a WordPress plugin modular ds According to Patchstack, it has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2026-23550 (CVSS score: 10.0), is described as a case of unauthenticated privilege escalation affecting all versions of the plugin before and including 2.5.1. It has been patched in version 2.5.2. The plugin has over 40,000 active installs.
“In versions 2.5.1 and below, the plugin is vulnerable to privilege escalation due to a combination of factors including direct route selection, bypassing authentication mechanisms, and auto-login as administrator,” Patchstack said.
The problem lies in its routing mechanism, which is designed to keep certain sensitive routes behind the authentication barrier. The plugin exposes its routes under the “/api/modular-connector/” prefix.
However, it has been found that this security layer can be enabled every time a “direct request” is made by supplying the “origin” parameter set to “mo” and the “type” parameter set to any value (for example, “origin=mo and type=xxx”). Due to this the request is treated as a modular direct request.
“Therefore, as soon as the site is already connected to the modular (token present/renewable), anyone can pass the auth middleware: there is no cryptographic link between the incoming request and the modular,” Patchstack explained.
“It exposes multiple routes, including /login/, /server-info/, /manager/, and /backup/, allowing it to perform a variety of actions ranging from remote login to obtaining sensitive system or user data.”
As a result of this flaw, an unauthenticated attacker could exploit the “/login/{modular_request}” route to gain administrator access, resulting in an escalation of privilege. This could then lead to the entire site being compromised, allowing the attacker to make malicious changes, stage malware, or redirect users to scams.
According to details shared by the WordPress security company, attacks exploiting the flaw are said to have been first detected on January 13, 2026, at approximately 2 a.m. UTC, in which an attempt was made to create an administrator user following an HTTP GET call to the endpoint “/api/modular-connector/login/”.
The attacks originated from the following IP addresses –
In light of the active exploitation of CVE-2026-23550, users of the plugin are advised to update to a patched version as soon as possible.
“This vulnerability highlights how dangerous implicit trust in internal request paths can be when exposed to the public Internet,” Patchstack said.
“In this case, the problem was not caused by a bug, but by several design choices combined together: URL-based route matching, a permissive ‘direct request’ mode, authentication based only on site connection state, and a login flow that automatically falls back to the administrator account.”
