Hackers exploit WordPress plugin security flaw exposing 40,000 websites to complete takeover risk - here's how to stay safe

News
By published

Critical WordPress plugin flaw exposed some 40,000 users

WordPress logo on mobile
(Image credit: Shutterstock)
  • Patchstack found critical Modular DS flaw (CVE-2026-23550) allowing admin bypass
  • Vulnerability scored 10/10 and is already being exploited in the wild
  • Vendor released fix in version 2.5.2; users urged to upgrade immediately

If your WordPress website is running the Modular DS plugin, you might want to update to the latest version as soon as possible.

Modular DS is a popular WordPress plugin used by more than 40,000 websites which allows website admins manage multiple WordPress sites from a single dashboard.

However security researchers Patchstack recently discovered its versions 2.5.1 and older carried design and implementation vulnerabilities which exposed multiple sensitive routes and activated an automatic login fallback mechanism.

Evidence of attacks

These vulnerabilities include direct route selection, bypassing of authentication mechanisms, and auto-login as admin, the researchers explained. As a result, malicious actors could have bypassed all authentication mechanisms remotely and access the compromised websites with an administrator account.

“As soon as the site has already been connected to Modular (tokens present/renewable), anyone can pass the auth middleware: there is no cryptographic link between the incoming request and Modular itself,” Patchstacak explained.

“This exposes several routes [...] which allow various actions to be performed, ranging from remote login to obtaining sensitive system or user data.”

The vulnerability is now tracked as CVE-2026-23550 and was given a severity score of 10/10 (critical).

In its write-up, Patchstack said the flaw is already being exploited in the wild, and that first attacks were detected on January 13, 2026, citing WP.one Support Engineer’s team. The Modular DS vendor was notified on January 14 (a day after the first attacks were confirmed), and it came back with a fix “only a few hours later.”

The fix brought Modular DS to version 2.5.2, and users are now advised to upgrade without delay.

“We strongly recommend that all Modular DS installations ensure they are running this version as soon as possible and complete the following actions,” Modular DS said in a security advisory.

The actions advised include reviewing potential indicators of compromise (which can be found here), regenerating WordPress salts, regenerating OAuth credentials, and scanning the site for malicious plugins or files.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.