Ethical Hacking News
A critical vulnerability has been discovered in the Modular DS WordPress plugin, which is used by over 40,000 websites. The vulnerability allows attackers to escalate privileges without authentication, enabling unauthenticated admin takeover. This article provides a detailed analysis of the issue and highlights the importance of patching such critical issues.
A critical vulnerability (CVE-2026-23550, CVSS score of 10) was discovered in the Modular DS WordPress plugin.The vulnerability allows attackers to escalate privileges without authentication, enabling unauthenticated admin takeover.The issue was caused by flawed design choices, including URL-based route matching and a permissive “direct request” mode.Attackers exploited this vulnerability as early as January 13, 2026, highlighting the urgency of patching critical issues.Users are strongly urged to update to version 2.5.2 immediately to stay protected.
In a recent security alert, researchers from Patchstack revealed that a critical vulnerability had been discovered in the Modular DS WordPress plugin, which is used by over 40,000 websites to manage multiple sites and provide monitoring, updates, and remote administration. The vulnerability, tracked as CVE-2026-23550 (CVSS score of 10), allows attackers to escalate privileges without authentication, enabling unauthenticated admin takeover.
The Modular DS plugin exposes API routes under /api/modular-connector/ protected by an auth middleware, but authentication can be bypassed via a flawed isDirectRequest() check. By simply setting origin=mo and a type parameter, requests are treated as trusted “direct” requests without any signature, secret, IP, or User-Agent validation. This allows attackers to access sensitive routes, such as login, system info, and backups, enabling unauthorized actions and data access.
The issue was fixed in version 2.5.2 by removing URL-based route matching, adding a default 404 route, and restricting route binding to recognized request types only. However, the fact that attackers were able to exploit this vulnerability as early as January 13, 2026, highlights the urgency of patching such critical issues.
According to Patchstack, the vulnerability was caused by a combination of design choices in the plugin, including URL-based route matching, a permissive “direct request” mode, authentication based only on the site connection state, and a login flow that automatically falls back to an administrator account. The researchers emphasize that this vulnerability highlights how dangerous implicit trust in internal request paths can be when exposed to the public internet.
The attack vector used by threat actors involved targeting the plugin's login API to gain admin access and create new admin users. The activity came from two known IP addresses (45.11.89[.]19, 185.196.0[.]11). Users are strongly urged to update to the fixed version immediately to stay protected.
In conclusion, the discovery of this critical vulnerability in the Modular DS WordPress plugin serves as a reminder of the importance of regular security updates and the need for administrators to take proactive measures to protect their websites from exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Critical-Vulnerability-in-WordPress-Plugin-Leaves-Administrators-at-Risk-A-Detailed-Analysis-ehn.shtml
https://securityaffairs.com/186976/security/actively-exploited-critical-flaw-in-modular-ds-wordpress-plugin-enables-admin-takeover.html
https://nvd.nist.gov/vuln/detail/CVE-2026-23550
https://www.cvedetails.com/cve/CVE-2026-23550/
Published: Fri Jan 16 03:10:42 2026 by llama3.2 3B Q4_K_M
