Hackers are actively exploiting a critical security vulnerability in the popular Modular DS WordPress plugin that allows attackers to bypass authentication and gain full admin-level access to affected websites.
The flaw, tracked as CVE-2026-23550 and rated at maximum severity, impacts Modular DS versions 2.5.1 and older. Modular DS is widely used to manage multiple WordPress sites from a single dashboard and has more than 40,000 active installations, making the issue particularly dangerous.
According to security researchers at Patchstack, exploitation began as early as January 13, around 02:00 UTC. The vulnerability stems from a combination of design and implementation flaws that cause the plugin to trust certain “direct requests” without properly verifying their origin through cryptographic checks. This exposes sensitive routes and triggers an automatic admin login fallback mechanism. If no user ID is supplied in a malicious request, the plugin automatically selects an existing admin or super admin account and logs the attacker in as that user, resulting in immediate privilege escalation.
Patchstack disclosed the issue to the plugin’s developers, and a fix was released within hours in Modular DS version 2.5.2. The update removes unsafe URL-based route matching, introduces stricter validation logic, adds a default 404 route, and ensures unrecognized requests fail safely. Security experts strongly urge all users to update immediately.
The plugin’s vendor also recommends reviewing server access logs for suspicious activity, checking for unauthorized admin accounts, and regenerating all WordPress security salts after applying the update to reduce the risk of lingering compromise.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
