Summary
⚠ Critical · CVSS 10.0 · Active exploitation confirmed What is happening On February 9, 2026, VenCERT published an advisory about a…
⚠ Critical · CVSS 10.0 · Active exploitation confirmed
What is happening
On February 9, 2026, VenCERT published an advisory about a critical vulnerability in the Modular DS / Modular Connector plugin for WordPress (CVE-2026-23550), scoring CVSS 10.0, which allows an attacker to gain administrator access without any credentials.
This is not theoretical: active exploitation in the wild has been confirmed.
The technical vector (no fluff)
The plugin exposes routes under the prefix:
/api/modular-connector/There is a way to trigger a “direct request” mode simply by appending parameters such as:
origin=motype=<any_value>
This causes the plugin to treat the request as if it came from the legitimate platform, bypassing the authentication middleware. Subsequently, routes like /login/ can trigger auto-login as admin on already connected sites (with tokens present or renewable).
Key dates
| Event | Date |
|---|---|
| First exploitation detections | January 13, 2026 (~02:00 UTC) |
| CVE published / initial advisories | January 14, 2026 |
| Initial patch (2.5.2) | January 2026 |
| Required update (2.6.0) | After additional research |
Affected versions
All versions up to and including 2.5.1.
Real-world impact if exploited
- Administrator access to the site
- Creation of new admin accounts
- Persistence through plugins, themes or backdoors
- Content modification (SEO poisoning) or traffic redirection
- Full control of the WordPress installation
Indicators of Compromise (IoC) to review
- Access logs with automated user agents:
Python-urllib,curl,Go-http-client - New admin accounts with unusual patterns (e.g. emails ending in
@example.com) - Unexpected file changes or credentials that need rotating
- Requests to
/api/modular-connector/login/followed by admin user creation attempts
Patchstack reported source IPs observed in attacks. If you manage multiple sites, cross-reference your logs against those IPs.
What to do right now (step by step)
- Update the plugin now
Minimum: 2.5.2 · Vendor recommended: 2.6.0 (REQUIRED) - Regenerate WordPress salts
Invalidates all active sessions and cuts off stolen sessions. - Regenerate OAuth credentials and reconnect sites (if applicable)
- Audit administrators
Remove suspicious accounts and review recent role/user changes. - Scan files and plugins for malware
Tools like Imunify can detect malicious additions. - (Extra defensive) Restrict the endpoint
If you operate many sites, consider restricting access to/api/modular-connector/by IP, VPN or WAF while you finish your review.
Why this matters if you manage multiple sites
There was active exploitation. The attack vector was an authentication bypass on connector routes. If you manage multiple WordPress sites with Modular DS, this is exactly the kind of incident that ruins your week if you lack operational visibility.
With Vulnity you can detect signals like:
- Spikes in anomalous access attempts
- Unauthorized admin user creation
- Critical file changes
- Out-of-pattern access
And generate a timeline and report to show your client what was prevented and what was done. No posturing — just data.
About Vulnity
Keeping WordPress secure requires constant vigilance. Vulnity does that work for you: detecting anomalies, alerting on suspicious changes, and logging everything.
