Hackers Exploit WordPress Plugin Security Flaw
If your WordPress site uses the Modular DS plugin, updating to the latest version should be a top priority.
Modular DS is a widely used WordPress plugin, installed on more than 40,000 websites, that allows administrators to manage multiple WordPress sites from a single dashboard. However, security researchers at Patchstack recently discovered that versions 2.5.1 and earlier contain serious design and implementation flaws.
According to Patchstack, the vulnerabilities exposed multiple sensitive routes and triggered an automatic login fallback mechanism. These issues included direct route selection, authentication bypasses, and the ability to automatically log in as an administrator. In practice, this meant attackers could remotely bypass all authentication checks and gain full admin access to affected websites.
“As soon as the site has already been connected to Modular (tokens present/renewable), anyone can pass the auth middleware,” Patchstack explained. “There is no cryptographic link between the incoming request and Modular itself.” As a result, several exposed routes could be abused for actions ranging from remote logins to accessing sensitive system and user data.
The vulnerability has been assigned CVE-2026-23550 and received a critical severity rating of 10 out of 10.
Patchstack also noted that the flaw is already being actively exploited. The first attacks were detected on January 13, 2026, based on reports from the WP.one support engineering team. The Modular DS vendor was notified the following day and released a fix within hours.
That fix was included in Modular DS version 2.5.2, and all users are strongly advised to upgrade immediately.
In a security advisory, the Modular DS team recommended that site owners not only update the plugin, but also take additional precautionary steps. These include reviewing indicators of compromise, regenerating WordPress salts, resetting OAuth credentials, and scanning sites for malicious plugins or files.
Delaying this update could leave WordPress sites fully exposed, making prompt action essential.