CVE-2026-23550

CVSS v3.1

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Modular DS versions prior to 2.5.2

Description A critical vulnerability exists in Modular DS, allowing unauthenticated attackers to gain administrative access to WordPress sites. This is due to a flaw in the plugin's routing mechanism, specifically within exposed routes under

/api/modular-connector/

, which allows bypassing authentication. The issue is actively exploited in the wild, with attacks observed starting January 13, 2026. The vulnerability impacts over 40,000 active installations. Attackers can exploit this weakness by manipulating requests to the

/api/modular-connector/login/

endpoint, effectively bypassing the authentication barrier. This allows for actions such as remote logins and access to sensitive data, potentially leading to full site compromise, including the introduction of malware or redirection to phishing scams.

Recommendations Update the Modular DS plugin to version 2.5.2 or newer.

Exploit

Fix

LPE

Incorrect Privilege Assignment

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-266

Related Identifiers

CVE-2026-23550

Affected Products

Modular Ds

CVE-2026-23550

Weakness Enumeration

Related Identifiers

Affected Products

References · 24