CVE-2026-23550: The 'Just Trust Me' Admin Bypass in Modular DS
Vulnerability ID: CVE-2026-23550
CVSS Score: 10.0
Published: 2026-01-14
A critical authentication bypass vulnerability in the Modular DS WordPress plugin allows unauthenticated attackers to log in as an administrator simply by manipulating URL parameters. Rated CVSS 10.0, this flaw is actively exploited in the wild.
TL;DR
The Modular DS plugin (up to version 2.5.1) contains a logic flaw in its API routing mechanism. By appending ?origin=mo&type=foo to the login endpoint, an attacker bypasses all cryptographic checks and is immediately granted an administrator session cookie. Patch to version 2.5.2 immediately.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE: CWE-266 (Incorrect Privilege Assignment)
- CVSS: 10.0 (Critical)
- Attack Vector: Network (HTTP GET)
- Auth Required: None
- Exploit Status: Active / In the Wild
- EPSS Probability: 6.11%
Affected Systems
- WordPress sites with Modular DS (Modular Connector) plugin <= 2.5.1
-
Modular DS (Modular Connector): <= 2.5.1 (Fixed in:
2.5.2)
Exploit Details
- Nuclei Templates: Automated detection template checking for 302 redirect and admin cookie setting.
Mitigation Strategies
- Update Modular DS plugin to version >= 2.5.2
- Implement WAF rules blocking requests with 'origin=mo' query parameters from untrusted IPs
- Restrict access to '/api/modular-connector/' to known IP ranges if possible
Remediation Steps:
- Update the plugin via WordPress dashboard or WP-CLI.
- Edit 'wp-config.php' and update the Authentication Unique Keys and Salts.
- Review the list of users with Administrator privileges and delete unknown accounts.
- Scan the server for webshells or modified PHP files created after January 13, 2026.
References
Read the full report for CVE-2026-23550 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)