WordPress “Modular DS” plugin — active exploitation
A CVSS 10 flaw (CVE-2026-23550) in the Modular DS WordPress plugin (≤ 2.5.1; ~40k installs) allows unauthenticated admin takeover via a routing design that bypasses authentication when “direct request” mode is enabled. Attackers can hit /api/modular-connector/login/ to gain admin access, then create new admin users or extract data. Exploitation began 13 Jan 2026; a fix is in 2.5.2. Users should patch, regenerate WordPress salts/OAuth credentials, and hunt for unexpected admin accounts or suspicious requests.
If you run Modular DS on WordPress, stop what you’re doing and patch to 2.5.2. A CVSS 10 bug (CVE-2026-23550) lets anyone on the internet waltz into your site as an administrator—no password required.
The design oops
The plugin exposes routes under /api/modular-connector/. With a permissive “direct request” mode, simply setting parameters like origin=mo&type=… convinces the plugin a request is trusted, bypassing auth checks. That opens routes such as /login/, /manager/, and /backup/—handy for attackers, disastrous for your site. Patchstack observed live exploitation starting 13 January 2026 with attempts to create admin users.
What to do now
• Update to 2.5.2 (or later).
• Regenerate WordPress salts to kill sessions, rotate OAuth credentials, and scan for unfamiliar plugins/files.
• Review admin users and logs for suspicious /api/modular-connector/login/ requests.
Why it matters
This isn’t a classic single bug—multiple permissive design choices combined into a perfect storm: URL-based route matching, a loose “direct” mode, auth based solely on-site connection state, and a login flow that can fall back to an admin account. In other words, a gentle nudge becomes an open door.
Bottom line: patch promptly and make route-exposed plugins prove who’s calling—cryptographically.