A critical security flaw tracked as CVE-2026-23550 in the Modular DS WordPress plugin has a CVSS score of 10.0 and affects all versions up to 2.5.1. This unauthenticated privilege escalation vulnerability allows remote attackers to bypass authentication and gain full administrator access to WordPress sites.
Exploitation began on January 13, 2026, with attackers using automated scans to target the /api/modular-connector/login/ endpoint, creating unauthorized admin accounts like ‘modular_admin’ or ‘wp_admin2’, deploying malware, and exfiltrating data. The plugin has over 40,000 active installations, putting e-commerce, media, education, and SME sites at high risk.