A significant security flaw has been discovered in the Modular DS WordPress plugin, designated as CVE-2026-23550, which has a maximum severity score and is currently being exploited by attackers. The vulnerability enables unauthenticated privilege escalation, potentially granting unauthorized administrator access to affected websites, putting countless online platforms at risk.
All versions of the Modular DS plugin up to and including 2.5.1 are impacted. Exploitation details reveal attackers using HTTP GET calls targeting the endpoint ‘/api/modular-connector/login/’ to attempt creating admin-level users on vulnerable sites. Once successfully exploited, this flaw allows attackers to compromise websites entirely, enabling malicious changes, malware deployment, or redirecting legitimate users to harmful scam pages.
The first attacks exploiting this flaw were detected on January 13, 2026. Developers of the plugin have since released a crucial patch in version 2.5.2, effectively addressing the vulnerability. Website owners are urged to update to the latest version immediately to protect their platforms from potential compromise.
The case highlights the inherent risks of exposing internal request paths to the public internet and underscores the importance of implementing advanced authentication and authorization measures to safeguard digital assets.
For website developers, business owners, and WordPress users, staying on top of security updates, regularly patching plugins, and conducting vulnerability assessments have become indispensable practices in the ever-evolving digital threat landscape.
Website professionals and digital agencies seeking to optimize site performance and security may explore tools like the Content Auto-generation and Refresh Plugin, ensuring consistent enhancement and management of site content.
Source: The Hacker News
Source: The Hacker News