A maximum-severity vulnerability in the WordPress Modular DS plugin is being actively exploited by threat actors to gain full administrator access to affected websites. The flaw, tracked as CVE-2026-23550 with a CVSS score of 10.0, impacts all versions of the plugin prior to 2.5.2 and affects over 40,000 WordPress installations worldwide.

Modular DS is a popular site management plugin that enables administrators to monitor, update, and remotely manage multiple WordPress sites from a central dashboard. The vulnerability stems from an incorrect privilege assignment issue that allows completely unauthenticated attackers to escalate privileges without any credentials or user interaction.

Security researchers at Patchstack discovered that the flaw exists in the plugin's routing mechanism, which is designed to protect sensitive routes behind an authentication barrier. The plugin exposes routes under the '/api/modular-connector/' prefix, but this security layer can be bypassed when 'direct request' mode is enabled by supplying an 'origin' parameter set to 'mo' and a 'type' parameter set to any value. This combination allows attackers to auto-login as administrators.

Active exploitation began on January 13, 2026, with attackers targeting the plugin's login API to create new administrator accounts. Security researchers identified two IP addresses associated with the attacks: 45.11.89.19 and 185.196.0.11. The rapid disclosure and patch timeline saw Patchstack report the vulnerability on January 14 at 08:04 UTC, with version 2.5.2 released just over an hour later at 09:26 UTC.

Website administrators using Modular DS are strongly urged to update to version 2.6.0 or later immediately. Additional mitigation steps include restricting access to the '/api/modular-connector/' endpoint using IP allowlists or VPN-only access, implementing WAF rules to block suspicious requests containing the 'origin=mo' parameter, and reviewing administrator accounts for any unauthorized additions created during the exploitation window.