WordPress Modular DS Plugin Flaw Actively Exploited for Admin Takeover
CVE-2026-23550 (CVSS 10.0) allows unauthenticated privilege escalation on 40,000+ WordPress sites.
A critical vulnerability in the WordPress Modular DS plugin is being actively exploited to gain administrator access on over 40,000 websites, security researchers warned on January 22.
Vulnerability Details
CVE-2026-23550 carries a maximum CVSS score of 10.0 and allows completely unauthenticated attackers to achieve privilege escalation—no login, credentials, or user interaction required.
Technical Analysis
The flaw is rooted in the plugin's routing mechanism. While sensitive routes are designed to require authentication, the security layer can be bypassed when "direct request" mode is enabled by supplying specific parameters. This allows actions such as remote admin logins and access to sensitive data.
Active Exploitation
Patchstack researchers detected the first attacks on January 13 around 02:00 UTC. Exploitation can lead to full site compromise, including malware injection and phishing redirects.
Timeline and Patch
Patchstack reported the vulnerability on January 14 at 08:04 UTC, published an advisory at 08:30 UTC, and the developer released version 2.5.2 at 09:26 UTC. Version 2.6.0, released January 16, includes additional security fixes.
Administrators should update to version 2.5.2 or later immediately and consider restricting access to the plugin's API endpoints.
Related Articles
Cloudflare 2026 Threat Report: 230 Billion Daily Blocked Threats and the Rise of Credential Attacks
Cloudflare has published its inaugural annual threat report revealing the company blocks over 230 billion threats daily across 20% of global web traffic. DDoS attacks doubled year-over-year to 47.1 million incidents, with the largest reaching a record 31.4 Tbps, while bots now account for 94% of all login attempts.
HashiCorp Patches Consul Arbitrary File Read Vulnerability in Kubernetes Auth
HashiCorp has released emergency patches for Consul to address CVE-2026-2808, a medium-severity vulnerability allowing arbitrary file reads when Kubernetes authentication is enabled. The fix also adds HTTP server timeouts to prevent Slowloris denial-of-service attacks against Consul agent endpoints.
Let's Encrypt Now Issues Six-Day Certificates and IP Address Certificates via Certbot
Let's Encrypt and the EFF have announced support for six-day (160-hour) certificates and IP address certificates through Certbot 5.3 and 5.4. The ultra-short-lived certificates reduce the impact window of compromised keys by design, while IP address certificates enable HTTPS for services identified by address rather than hostname.