Exploited in the Wild: Critical Modular DS Flaw CVE-2026-23550 (CVSS 10) Allows Instant Admin Takeover
Ddos 
A critical privilege escalation vulnerability, tracked as CVE-2026-23550 (CVSS 10), has been discovered in the Modular DS WordPress plugin, actively exposing over 40,000 websites to unauthorized administrative takeovers. Security researchers at Patchstack have issued a warning after detecting active exploitation attempts in the wild starting as early as January 13th.
The vulnerability, which affects plugin versions 2.5.1 and below, allows unauthenticated attackers to bypass security checks and log in as an administrator simply by manipulating a URL parameter.
The flaw resides in how the plugin handles “direct requests” to its API. The developers implemented a routing system intended to manage remote tasks for WordPress sites. However, the authentication logic contained a fatal oversight.
According to the report, “the mechanism ultimately relies on a flawed isDirectRequest() method… that bypasses authentication when the ‘direct request’ mode is activated”.
In a simple lapse of security, enabling this “direct mode” didn’t require a cryptographic signature or a secret key. “This mode can be enabled simply by supplying an origin parameter set to ‘mo’ and a type parameter set to any value”.
Essentially, an attacker only needed to append ?origin=mo to their request to trick the plugin into rolling out the red carpet. “There is no verification of a signature, secret, IP, or mandatory User-Agent: the simple pair origin=mo&type=xxx is enough for the request to be considered as a Modular direct request”.
Patchstack’s analysis confirms that threat actors are already abusing this loophole to plant backdoors.
“According to WP.one Support Engineer’s team, first attacks were detected on January 13th around 2AM UTC”.
Once the attackers bypass the login screen, they waste no time cementing their control. “When successfully logged in through the flaw, the attacker then attempts to create a new ‘PoC Admin’ WordPress administrator user, using a username containing ‘admin’ and a bogus email address”.
The report identifies several IP addresses involved in the initial wave of attacks, including 45.11.89.19 and 162.158.123.41.
The developers have released a patch that refactors the routing logic to close this gaping hole. The update removes the insecure “direct route selection” and ensures that requests are properly validated before any action is taken.
“In src/app/Providers/RouteServiceProvider.php, bindOldRoutes() was refactored: its signature changed (it no longer receives $route), it now retrieves the available routes, and binds it to the current request with a default fallback”.
With active exploitation confirmed, administrators using Modular DS are urged to update to the latest version immediately to prevent their sites from becoming the next victim of this “direct request” attack.
Donate