Critical Privilege Escalation in Modular DS WordPress Plugin Actively Exploited
Take action: If you are using Modular DS plugin for Wordpress, this is urgent. Your sites are being attacked. Immediately update Modular DS to version 2.6.0 and scan your user list for unauthorized accounts like 'PoC Admin'.
Learn More
A maximum severity critical flaw is reported in Modular DS plugin, a tool used to manage multiple websites through monitoring and remote task execution. The plugin has over 40,000 active installations.
The flaw is tracked as CVE-2026-23800 (CVSS score 10.0) a chain of issues including authentication bypass and automatic administrator login. Attackers can use these weaknesses to escalate privileges from a guest to a site administrator without any credentials.
Attackers are already using this exploit in the wild. Researchers observed hackers sending requests to the /api/modular-connector/login/ endpoint. The attacks often try to create a new user named PoC Admin with full administrative rights and target the REST API to probe for user information while using firefox as the user agent and usernames containing backup.
Because this plugin manages remote tasks and updates across multiple sites, a single compromise can lead to a breach across an entire network of WordPress instances.
Users must update the Modular DS plugin to version 2.6.0 or later ASAP. If you cannot update right away, check your logs for the PoC Admin username or requests containing the mo origin parameter.
