CVE-2026-23550 is a Critical (CVSS score: 10.0) unauthenticated privilege escalation vulnerability affecting the Modular DS (Modular Connector) WordPress plugin in versions up to and including 2.5.1.
- Type: Incorrect Privilege Assignment (CWE-266)
- Severity: Critical, CVSS 10/10
- Affected software: WordPress Modular DS plugin (<= 2.5.1)
How the Vulnerability Works
The flaw stems from overly permissive internal route matching inside the plugin’s API (under /api/modular-connector/). Because of this, an unauthenticated attacker can craft a request that bypasses normal authentication checks and triggers an admin login routine.
Here’s the impact in practice:
- No login or pre-existing credentials required — attackers can exploit this remotely.
- Privilege escalation to administrator level — giving full control of the WordPress site.
- This can lead to site compromise, data theft, defacement, malware installation, or redirection to malicious sites.
Real-World Activity
Security researchers have reported active exploitation in the wild: attackers are making HTTP GET requests to the vulnerable endpoints attempting to gain admin access and create backdoor administrator accounts.
Mitigation & Fixes
The plugin developers have released a patched version: Modular Connector v2.5.2 that fixes the issue.
Recommended actions:
- Update immediately to Modular DS 2.5.2 or later.
- Regenerate API/OAuth credentials used by Modular DS for better assurance.
- Scan your site for unauthorized admin accounts, backdoors, or malicious files if it was previously running a vulnerable version.
Technical Summary
| Attribute | Details |
|---|---|
| CVE ID | CVE-2026-23550 |
| Severity | Critical (CVSS: 10.0) |
| Impact | Privilege Escalation (Admin takeover) |
| Attack Vector | Network; no authentication required |
| Affected Versions | Modular DS ≤ 2.5.1 |
| Fixed Version | Modular DS 2.5.2 |
| Weakness (CWE) | Incorrect Privilege Assignment (CWE-266) |
