Critical Privilege Escalation in Modular DS WordPress Plugin Actively Exploited

Modular DS, a WordPress management plugin with over 40,000 active installations, contains a maximum-severity security flaw that's actively exploited in the wild to gain full administrative control over websites. 

The flaw is tracked as CVE-2026-23550 (CVSS score 10.0), аn unauthenticated privilege escalation vulnerability that allows attackers to log in as site administrators without a password. 

The plugin's internal routing has a "direct request" mode. By appending specific parameters like "origin=mo" to a URL, attackers trick the software into skipping authentication checks. The plugin trusts these requests if the site is already linked to the Modular service. Because there is no cryptographic verification to prove the request is legitimate, the system opens sensitive pathways to anyone on the public internet.

Exploitation of this enables full administrative login sessions, access to sensitive server configuration data, website backup files and user management and installation controls.

The flaw affects all versions up to and including 2.5.1. allows 

Security researchers at Patchstack first detected attacks on January 13, 2026. Hackers send HTTP GET requests to the plugin's API prefix to trigger the login bypass. Once they gain entry, they often create a new administrator account with a name containing "admin" to maintain persistent access. Reports indicate that multiple IP addresses are currently scanning for vulnerable sites to automate these takeovers.

Site owners should update to Modular DS version 2.5.2 immediately. The patch removes the flawed URL-based route matching and implements a more secure default 404 response for unrecognized requests. If you can't update immediately, deactivate the plugin to prevent compromise. Administrators should also audit their user lists for any suspicious accounts created on or after the January 13th.