Hackers are actively exploiting a most severity flaw within the Modular DS WordPress plugin that permits them to bypass authentication remotely and entry the weak websites with admin-level privileges.
The flaw, tracked as CVE-2026-23550, impacts variations 2.5.1 and older of Modular DS, a administration plugin that permits managing a number of WordPress websites from a single interface.
The plugin lets house owners, builders, or internet hosting suppliers remotely monitor websites, carry out updates, handle customers, entry server data, run upkeep duties, and log in. Modular DS has greater than 40,000 installations.
In response to Patchstack researchers, CVE-2026-23550 is presently exploited within the wild, the primary assaults being detected on January 13, round 02:00 UTC.
Patchstack confirmed the flaw and reached out to the seller on the next day. Modular DS launched a repair in model 2.5.2, only some hours later.
The vulnerability is brought on by a collection of design and implementation flaws, together with accepting requests as trusted when “direct request” mode is activated, with no cryptographic verify of their origin. This habits exposes a number of delicate routes and prompts an computerized admin login fallback mechanism.
If no particular person ID is supplied within the request physique, the plugin fetches an present admin or tremendous admin person, then logs in as that person robotically.
“Within the controller src/app/Http/Controllers/AuthController.php, methodology getLogin(SiteRequest $modularRequest), the code makes an attempt to learn a person ID from the physique of $modularRequest,” Patchstack explains.
“Since this code will be accessed by unauthenticated customers due to the flaw beforehand defined, it permits a direct privilege escalation,” the researchers say.
Supply: Patchstack
The patch in Modular DS model 2.5.2 eliminated URL-based route matching. It’s now pushed completely by validated filter logic, added a default 404 route, solely acknowledges ‘kind’ values for route binding, and contains a protected failure mode for unrecognized requests.
Customers of Modular DS are really helpful to improve to model 2.5.2 or later as quickly as potential.
In a security bulletin, the seller advises customers to evaluation server entry logs for suspicious requests, verify admin customers for rogue additions, and regenerate all WordPress salts after updating to the latest model.
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your crew construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
