**Actively Exploited Critical Flaw in Modular DS WordPress Plugin Enables Admin Takeover**

A critical vulnerability has been discovered in the popular WordPress plugin Modular DS, allowing attackers to gain admin access and take control of affected sites. The flaw, tracked as CVE-2026-23550, has a CVSS score of 10, indicating a maximum severity level.

Modular DS is a widely used WordPress plugin with over 40,000 installs that helps manage multiple sites by enabling monitoring, updates, and remote administration. However, versions 2.5.1 and earlier are vulnerable to this critical flaw, which allows attackers to escalate privileges and gain admin access without authentication.

According to a report published by cybersecurity firm Patchstack, the vulnerability is caused by a combination of factors, including direct route selection, bypassing of authentication mechanisms, and auto-login as admin. The plugin exposes API routes under `/api/modular-connector/` that are protected by an auth middleware, but this protection can be easily bypassed via a flawed `isDirectRequest()` check.

The report explains: "There is no verification of a signature, secret, IP, or mandatory User-Agent. The simple pair `origin=mo&type=xxx` is enough for the request to be considered as a Modular direct request." This means that attackers can access sensitive routes, such as login and system info, without any validation.

Once connected to Modular, missing cryptographic validation allows anyone to bypass auth middleware, exposing routes like `/login` and `/backup` for remote access and data theft. The issue was fixed in v2.5.2 by removing URL-based route matching, adding a default 404 route, and restricting route binding to recognized request types only.

Security researchers have confirmed that attacks began on January 13, 2026, targeting the plugin's login API to gain admin access and create new admin users. The activity came from two known IP addresses (45.11.89[.]19, 185.196.0[.]11). Users are strongly urged to update to the fixed version immediately to stay protected.

As Patchstack concludes: "This vulnerability highlights how dangerous implicit trust in internal request paths can be when exposed to the public internet. In this case, the issue was not caused by a single bug, but by several design choices combined together: URL-based route matching, a permissive 'direct request' mode, authentication based only on the site connection state, and a login flow that automatically falls back to an administrator account."

Don't wait – update your Modular DS plugin to version 2.5.2 or later today to protect yourself from this critical flaw!

**Follow me on Twitter:** @securityaffairs

**Facebook and Mastodon:** (SecurityAffairs - hacking, Modular DS WordPress)