A critical vulnerability in the Modular DS WordPress plugin, tracked as CVE-2026-23550, allows unauthenticated attackers to gain administrative access with a maximum CVSS score of 10.0. Security researchers have confirmed that threat actors are actively exploiting this flaw to take over websites that use the management tool.

The Modular DS plugin, which is currently active on more than 40,000 WordPress sites, is designed to help administrators manage multiple installations from a single dashboard. However, versions 2.5.1 and earlier contain a fundamental flaw in how the software handles API requests. By exploiting specific routes, an attacker can bypass standard security checks and trigger an automatic login as an administrator, effectively granting them full control over the target website.

According to technical analysis from Patchstack, the vulnerability stems from a flawed authentication middleware. The plugin exposes several API routes that are intended to be protected, but a specific function called isDirectRequest() can be manipulated. Attackers found that by simply adding certain parameters to their request, they could trick the system into treating their connection as a trusted direct request from the Modular DS service.

The primary issue is a lack of rigorous validation for these direct requests. The system does not verify digital signatures, secrets, IP addresses, or specific User-Agent strings. Instead, it relies on a simple pair of parameters to grant trust. If a website is already linked to the Modular DS ecosystem, the software fails to perform a cryptographic handshake, allowing anyone to reach sensitive functions like system information, backups, and administrative login screens.

Once the authentication middleware is bypassed, the consequences for the site owner are severe. Unauthorized users can access restricted routes to steal sensitive data through backup files or perform administrative actions without ever providing a password. Because this flaw is being actively utilized in the wild, website owners using Modular DS are urged to update to the latest patched version immediately to prevent complete site compromise.

Source: Actively Exploited Flaw in Modular DS WordPress Plugin Enables Admin Takeover