WordPress Plugin Flaw Gives Hackers Admin Access
▼ Summary
– Hackers are actively exploiting a critical flaw (CVE-2026-23550) in the Modular DS WordPress plugin to bypass authentication and gain admin access.
– The vulnerability affects over 40,000 installations of the plugin, specifically versions 2.5.1 and older, which is used for managing multiple WordPress sites.
– The flaw stems from design issues that trust unverified requests, allowing unauthenticated users to trigger an automatic login as an existing admin.
– A patched version (2.5.2) was released hours after discovery, removing the vulnerable route matching and adding security validations.
– Users must immediately update to version 2.5.2 or later and are advised to check logs for suspicious activity and regenerate WordPress security keys.
A critical security vulnerability within the popular Modular DS WordPress plugin is being actively exploited, enabling attackers to gain complete administrative control over affected websites. This flaw, identified as CVE-2026-23550, poses a severe risk to site owners and administrators. The plugin, which boasts over 40,000 active installations, is designed to manage multiple WordPress sites from a single dashboard, offering features like remote monitoring, user management, and bulk updates. Security researchers warn that immediate action is required to prevent unauthorized access.
The vulnerability impacts Modular DS versions 2.5.1 and older. It stems from a combination of design and implementation weaknesses. Specifically, when the plugin’s “direct request” mode is active, it fails to cryptographically verify the origin of incoming requests, treating them as trusted. This flaw exposes several sensitive internal routes. Most dangerously, it triggers an automatic admin login fallback mechanism. If an incoming request does not specify a user ID, the plugin’s code retrieves an existing administrator or super administrator account and automatically logs the attacker in with those elevated privileges.
Researchers at Patchstack first detected active exploitation of this flaw in the wild on January 13. The security firm confirmed the vulnerability and contacted the plugin’s developers, who responded swiftly by releasing a patched version, 2.5.2, within hours. The fix addresses the core issues by overhauling how the plugin handles requests. The update removes URL-based route matching and implements validated filter logic to control access. It also adds a default 404 error route for unrecognized requests, restricts route binding to specific ‘type’ values, and introduces a safe failure mode to prevent unauthorized logins.
For website administrators using the Modular DS plugin, upgrading to version 2.5.2 or newer is the most urgent and critical step. Delay in applying this patch leaves sites open to complete compromise. Beyond simply updating the software, the plugin’s vendor recommends a series of additional security checks. Administrators should review server access logs for any suspicious activity and scrutinize their WordPress user lists for any unauthorized administrator accounts that may have been added by attackers. Furthermore, after applying the update, it is a strong security practice to regenerate all WordPress security salts and keys, which will invalidate any existing sessions and force a fresh login for all users.
(Source: Bleeping Computer)
