CVE-2026-23550

Name of the Vulnerable Software and Affected Versions Modular DS versions through 2.5.1

Description A critical vulnerability exists in the Modular DS WordPress plugin that allows unauthenticated attackers to gain administrative access to affected websites. This flaw, tracked as CVE-2026-23550, is due to a broken access control mechanism stemming from incorrect routing and authentication logic. Specifically, the plugin’s handling of “direct request” mode allows attackers to bypass cryptographic verification and access sensitive routes, such as

/api/modular-connector/

, leading to the issuance of admin session cookies without proper authentication. This enables attackers to log in as administrators and potentially take full control of the website, including the ability to create new admin users, inject malicious plugins, steal data, or deface the site. The vulnerability is actively being exploited in the wild, with exploitation attempts first observed on January 13, 2026. Over 40,000 WordPress installations are estimated to be at risk. The vulnerability is triggered by manipulating URL parameters, effectively bypassing the authentication barrier. The vulnerable component is the routing logic within the plugin, specifically the

isDirectRequest()

function.

Recommendations Update Modular DS to version 2.5.2 or newer. Regenerate WordPress salts after updating to version 2.5.2. Monitor WordPress logs for suspicious direct-route requests and unexpected admin sessions.