ACCORDING to Patchstack, a critical privilege escalation vulnerability tracked as CVE-2026-23550 (CVSS 10) has been exploited in the wild in the Modular DS WordPress plugin, exposing more than 40,000 websites to unauthorised administrative takeover. The flaw affects plugin versions 2.5.1 and below and allows unauthenticated attackers to bypass security checks and log in as an administrator simply by manipulating a URL parameter.
The vulnerability lies in how the plugin handles direct requests to its API, with an isDirectRequest() method bypassing authentication when direct mode is activated; enabling this mode simply requires an origin parameter set to ‘mo’ and any value for type. Patchstack notes that initial attacks were detected on 13 January 2026 around 2am UTC, with attackers creating PoC Admin users after bypassing the login screen, and several IPs, including 45.11.89[.]19 and 162.158.123[.]41, appearing in the early wave.
A patch has been released to rework the routing logic and tighten request validation, and site administrators are urged to update to the latest version to prevent further exploitation.