A critical unauthenticated privilege escalation vulnerability in the Modular DS WordPress plugin allows attackers to gain instant admin access, with exploitation confirmed in the wild.
Affecting over 40,000 sites, the flaw in versions up to 2.5.1 has prompted urgent patches and mitigations from Patchstack and the vendor.
Modular DS, developed by modulards.com, enables remote management of multiple WordPress sites, including monitoring, updates, and backups.
According to Patchstack, the core issue stems from a flaw in the plugin’s Laravel-like router at /api/modular-connector/.
Attackers can trigger “direct request” mode using origin=mo and any type parameter, evading auth middleware if the site is connected to Modular services.
This exposes protected routes like /login/{modular_request}, where the AuthController auto-logs in as an admin user via getAdminUser() if no user ID is specified. No signatures, secrets, or IP checks validate requests, chaining to full compromise via actions like cache clearing, backups, or plugin installs.
| CVE ID | CVSS v3.1 Score | Severity | Affected Versions | Fixed Version |
|---|---|---|---|---|
| CVE-2026-23550 | 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) | Critical | <= 2.5.1 | 2.5.2 |
Active Exploitation and IOCs
Attacks began January 13, 2026, around 2 AM UTC, targeting /api/modular-connector/login/ with origin=mo&type=foo. Successful exploits create backdoor admins named like “PoC Admin” with fake emails. Patchstack detected matching attempts post-mitigation deployment.
| Attacker IP | Notes |
|---|---|
| 45.11.89[.]19 | Initial scans |
| 162.158.123[.]41 | Login probes |
| 172.70.176[.]95 | Admin creation |
| 172.70.176[.]52 | Persistence attempts |
Version 2.5.2 removes URL-based route matching, adds a default 404 fallback, and enforces type validation (request, oauth, lb) before binding routes. Patchstack’s mitigation rule automatically blocks exploits.
Modular DS users must update immediately; enable auto-updates for vulnerable plugins. Scan logs for IOCs and revoke suspicious admins. This incident underscores the risks of publicly exposed permissive internal routing and emphasizes the need for cryptographic request validation.