Active Exploitation: Critical WordPress Plugin Vulnerability (CVSS 10.0)

Active Exploitation: Critical WordPress Plugin Vulnerability (CVSS 10.0)

Patchstack has confirmed the active exploitation of a maximum-severity vulnerability in the Modular DS WordPress plugin, affecting over 40,000 sites.

🔓 CVE-2026-23550 allows unauthenticated privilege escalation, enabling attackers to auto-login as administrators and fully compromise affected websites.

🧠 What’s the issue?

The flaw stems from overly permissive routing logic in the plugin’s /api/modular-connector/ endpoints.

Attackers can bypass authentication when:

• direct request mode is enabled
• Requests include crafted parameters such as: origin=mo&type=xxx

This causes protected routes to be treated as trusted internal requests — without cryptographic verification.

🎯 Exposed functionality includes:

• /login/ → auto-admin access
• /server-information/
• /manager/
• /backup/

Once exploited, attackers can:

• Create new admin users
• Exfiltrate sensitive data
• Inject malware or backdoors
• Redirect visitors to scams

🕒 Exploitation timeline

📅 First detected: January 13, 2026 (02:00 UTC)
🌍 Observed attacker IPs:

• 45.11.89.19
• 185.196.0.11

🛠️ Mitigation & Response

✅ Update immediately to Modular DS 2.5.2
🔍 Review your site for:

• Unexpected admin accounts
• Suspicious login attempts

If compromise is suspected:

• Regenerate WordPress salts
• Rotate OAuth credentials
• Scan for malicious plugins/files

🗣️ “This vulnerability shows how dangerous implicit trust in internal request paths can be when exposed to the public internet.” — Patchstack

🧭 Key Takeaway

This wasn’t a single bug — it was a chain of risky design decisions:

• URL-based route matching
• Trusting the connection state instead of the request identity
• Auto-fallback admin login logic

A textbook example of how design flaws + exposed APIs = critical risk.