- Patchstack found critical Modular DS flaw (CVE-2026-23550) allowing admin bypass
- Vulnerability scored 10/10 and is already being exploited in the wild
- Vendor released fix in version 2.5.2; users urged to upgrade immediately
If your WordPress website is running the Modular DS plugin, you might want to update to the latest version as soon as possible.
Modular DS is a popular WordPress plugin used by more than 40,000 websites which allows website admins manage multiple WordPress sites from a single dashboard.
However security researchers Patchstack recently discovered its versions 2.5.1 and older carried design and implementation vulnerabilities which exposed multiple sensitive routes and activated an automatic login fallback mechanism.
Evidence of attacks
These vulnerabilities include direct route selection, bypassing of authentication mechanisms, and auto-login as admin, the researchers explained. As a result, malicious actors could have bypassed all authentication mechanisms remotely and access the compromised websites with an administrator account.
“As soon as the site has already been connected to Modular (tokens present/renewable), anyone can pass the auth middleware: there is no cryptographic link between the incoming request and Modular itself,” Patchstacak explained.
“This exposes several routes […] which allow various actions to be performed, ranging from remote login to obtaining sensitive system or user data.”
The vulnerability is now tracked as CVE-2026-23550 and was given a severity score of 10/10 (critical).
In its write-up, Patchstack said the flaw is already being exploited in the wild, and that first attacks were detected on January 13, 2026, citing WP.one Support Engineer’s team. The Modular DS vendor was notified on January 14 (a day after the first attacks were confirmed), and it came back with a fix “only a few hours later.”
The fix brought Modular DS to version 2.5.2, and users are now advised to upgrade without delay.
“We strongly recommend that all Modular DS installations ensure they are running this version as soon as possible and complete the following actions,” Modular DS said in a security advisory.
The actions advised include reviewing potential indicators of compromise (which can be found here), regenerating WordPress salts, regenerating OAuth credentials, and scanning the site for malicious plugins or files.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
