Tech Insights 26 January 2026 9 min read

Modular DS Flaw Gives Hackers Instant WordPress Admin Access: 40K Sites at Risk

A perfect CVSS 10.0 vulnerability in the Modular DS WordPress plugin is being actively exploited to grant attackers instant administrator access. 40,000 sites affected. Update to version 2.6.0 immediately.

MM
Mark McNeece Founder, 365i
WordPress dashboard showing red security alert warning with digital padlock breaking apart, representing the critical Modular DS plugin vulnerability
At a Glance 9 min read
  • A CVSS 10.0 vulnerability in the Modular DS plugin lets unauthenticated attackers gain instant WordPress admin access.
  • Around 40,000 WordPress installations are affected, with active exploitation detected since 13 January 2026.
  • Two CVEs were identified (CVE-2026-23550 and CVE-2026-23800); only version 2.6.0 patches both.
  • Attackers create rogue admin accounts with username "backup" and email "backup@wordpress.com" to maintain access.
  • Site owners should update immediately, check for unknown admin accounts, and regenerate WordPress salts.

Hackers are actively exploiting a perfect 10.0 CVSS vulnerability in the Modular DS WordPress plugin to gain instant administrator access to websites. The attacks, first detected on 13 January 2026, have affected an estimated 40,000 WordPress installations running the plugin.

According to Patchstack's security advisory, the vulnerability allows unauthenticated attackers to bypass authentication entirely and automatically log in as an administrator. No credentials required. No user interaction needed. If your site runs a vulnerable version, attackers can take complete control.

Two related vulnerabilities have been identified: CVE-2026-23550 (patched in version 2.5.2) and CVE-2026-23800 (patched in version 2.6.0). Site owners must update to version 2.6.0 immediately.

What Happened

Modular DS is a WordPress plugin used to manage multiple WordPress sites from a single dashboard. It enables remote monitoring, updates, user management, and login functionality across connected sites. Over 40,000 WordPress installations actively use the plugin.

On 13 January 2026 at approximately 02:00 UTC, security researchers detected the first exploitation attempts. Attackers were sending specially crafted requests to the plugin's login endpoint, bypassing authentication and gaining administrator access within seconds.

The vulnerability was reported to Patchstack on 14 January at 08:04 UTC. Within hours, the Modular DS team released version 2.5.2 with an initial fix. On 16 January, a second exploit path was discovered, prompting the release of version 2.6.0 with additional security hardening.

Visualisation of hackers exploiting WordPress vulnerability to create rogue admin accounts
Attackers are creating rogue admin accounts with generic usernames like "backup" to maintain persistent access to compromised sites.

How the Attack Works

The technical details reveal a cascade of security failures. The plugin exposes routes under the /api/modular-connector/ prefix. When "direct request" mode is enabled, attackers can bypass the security layer by supplying specific parameters: origin=mo and type=xxx.

This exposes several sensitive routes including /login/, /server-information/, /manager/, and /backup/. The login route is particularly dangerous because of a fatal flaw in the authentication logic.

"When the request body does not specify a particular user ID, the plugin's login flow falls back to selecting an existing administrator account and automatically logging in as that user."

- Patchstack Vulnerability Database

In plain English: the plugin was designed to let authorised remote administrators log in without credentials. The problem? It accepted requests from anyone as "authorised" when certain conditions were met. The authentication simply did not exist for these attack vectors.

Indicators of Compromise

Security researchers have identified specific attack patterns that site owners should check for:

Attacking IP Addresses

  • 45.11.89.19
  • 185.196.0.11

Rogue Admin Accounts

Attackers typically create administrator accounts with:

  • Username: backup
  • Email: backup@wordpress.com or backup1@wordpress.com

Suspicious Log Entries

Check your server access logs for requests to:

  • /api/modular-connector/login/
  • Requests containing origin=mo parameter
  • User agents like Python-urllib, curl, or Go-http-client

This follows a pattern we've seen before. In December 2025, 131,000 attacks targeted WordPress sites via the Sneeit RCE flaw. Automated scanners probe for vulnerable plugins constantly, and unpatched sites are typically compromised within hours of a vulnerability becoming public.

Digital security shield protecting WordPress website with managed hosting servers
Managed WordPress hosting with WAF protection and automatic updates prevents exploitation of zero-day vulnerabilities.

What You Need to Do

If you use the Modular DS plugin, take these steps immediately:

1. Update to Version 2.6.0

This is non-negotiable. Versions 2.5.1 and earlier are actively being exploited. Version 2.5.2 patches the first vulnerability but not the second. Only version 2.6.0 addresses both CVE-2026-23550 and CVE-2026-23800.

2. Check for Rogue Admin Accounts

Log into your WordPress admin and navigate to Users → All Users. Look for any administrators you don't recognise, particularly accounts named "backup" or with @wordpress.com or @example.com email addresses. Delete any suspicious accounts immediately.

3. Review Server Access Logs

Check for requests to /api/modular-connector/ from the attacking IP addresses. If you see these requests, assume your site has been compromised and perform a full security audit.

4. Regenerate WordPress Salts

After updating, regenerate your WordPress security keys and salts. This invalidates any sessions that attackers may have established. You can generate new keys at api.wordpress.org.

5. Consider WAF Protection

A Web Application Firewall (WAF) can block attack attempts before they reach your site. Services like Cloudflare, Sucuri, or managed WordPress hosts with built-in WAF protection add an essential layer of defence against zero-day exploits.

Why This Keeps Happening

This is not an isolated incident. WordPress plugins are a frequent target because they are often developed by small teams with limited security resources, and they can grant access to thousands of sites simultaneously. Just two days after this article was published, the WP Go Maps plugin vulnerability exposed another 300,000 sites, and on the same day, Microsoft disclosed an actively exploited Office zero-day affecting over 400 million users.

In December 2025 alone, four critical WordPress plugin vulnerabilities were under active attack. The pattern is predictable: vulnerability discovered, patch released, and a race begins between site owners updating and attackers exploiting the window.

"For organizations running Modular DS, the priority is to update quickly, then validate that no unauthorized admin access occurred by reviewing logs, accounts, and installed components for suspicious changes."

- eSecurity Planet

For many UK small businesses, keeping up with WordPress security updates is hard. You're running a plumbing business or accountancy practice, not an IT department. Yet your website is under constant automated attack from vulnerability scanners that don't care about your industry or size.

This is precisely why managed WordPress maintenance and proactive security monitoring exist. When your hosting provider handles updates, monitors for suspicious activity, and maintains WAF protection, you don't have to drop everything every time a CVE-2026-23550 appears. Our roundup of critical WordPress security vulnerabilities in 2025 shows just how relentless this pattern has become.

Timeline

Modular DS Vulnerability Timeline
Date Event
13 January 2026, 02:00 UTC First exploitation attempts detected
14 January 2026, 08:04 UTC Vulnerability reported to Patchstack
14 January 2026, 08:30 UTC Security advisory published
14 January 2026, 09:26 UTC Version 2.5.2 released (initial fix)
14 January 2026, 10:28 UTC CVE-2026-23550 confirmed resolved
16 January 2026 Second exploit path discovered (CVE-2026-23800)
16 January 2026 Version 2.6.0 released (complete fix)

Frequently Asked Questions

How do I check if my site is affected?

Check your WordPress plugins list for "Modular DS" or "Modular Connector". If installed and running version 2.5.1 or earlier, your site is vulnerable. Also check your admin users list for any accounts you don't recognise, particularly usernames like "backup".

What if I'm not using the Modular DS plugin?

If you don't have the Modular DS plugin installed, your site is not affected by this specific vulnerability. However, this incident highlights the importance of keeping all plugins updated and removing any you don't actively use.

What does CVSS 10.0 mean?

CVSS (Common Vulnerability Scoring System) rates security flaws from 0 to 10. A score of 10.0 is the maximum severity, indicating the vulnerability is trivial to exploit, requires no authentication, and gives attackers complete control. This is as bad as it gets.

What if my site has already been compromised?

Update the plugin immediately, delete any rogue admin accounts, regenerate WordPress salts, and perform a full security scan. Check for any new files in your WordPress installation, particularly in /wp-content/plugins/ and /wp-content/uploads/. Consider restoring from a backup taken before 13 January if available.

Will a WAF protect against this vulnerability?

Patchstack deployed a firewall rule blocking this attack on 14 January for their customers. Other WAF providers like Cloudflare and Sucuri have likely added similar rules. A WAF provides defence-in-depth but updating the plugin remains essential.

Why was there a second vulnerability (CVE-2026-23800)?

During the investigation into CVE-2026-23550, researchers discovered an additional exploit path in the plugin's code. This second vulnerability affects version 2.5.2, which means the initial patch was incomplete. Version 2.6.0 addresses both vulnerabilities completely.

How can I prevent this happening in future?

Enable automatic updates for WordPress plugins, use a WAF, regularly audit your installed plugins (remove any you don't use), and consider managed WordPress hosting where security updates are handled for you. The best defence is reducing your attack surface.

Worried About WordPress Security?

Managed WordPress hosting with 365i includes automatic security updates, WAF protection, and proactive monitoring. We handle the technical security so you can focus on your business.

Get Protected

Learn about our WordPress security services

Tags:
WordPress Security CVE-2026-23550 Plugin Vulnerability WordPress Security Update Admin Takeover Managed Hosting
Continue Reading

More Articles

Sean Hamilton: The Full Lockerfella Interview
Web Design 30 Apr 2026

Sean Hamilton: The Full Lockerfella Interview

The unedited post-launch conversation between Mark McNeece and Sean Hamilton about the Lockerfella build. Trust, area pages, AI Discovery Files, prices, and the locksmith version of mission control. The primary source behind the case study.

18 min read Read
He Asked for a Proper Locksmith Website. He Got Mission Control.
Web Design 30 Apr 2026

He Asked for a Proper Locksmith Website. He Got Mission Control.

Sean Hamilton wanted a website that "looked proper". He didn't ask for schema, AI Discovery Files, or 18 unique area pages. He didn't need to. Inside the Lockerfella build, the case study that turned a one-line brief into a 100/100/100/100 PageSpeed locksmith site cited in AI search within ten days of launch.

11 min read Read
Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.
SEO 28 Mar 2026

Google's March 2026 Core Update Hits AI Content Hard. Here's Where the Line Is.

Google rolled out its first core update of 2026 yesterday, the third algorithm change in four days. More than half of monitored sites are seeing ranking shifts. The update targets scaled AI content but rewards AI-assisted pages built on original expertise. Here's the five-minute audit that tells you which side of the line your content is on.

9 min read Read