January 15, 2026 By Bill Toulas
Hackers are actively exploiting a maximum severity flaw in the Modular DS WordPress plugin that allows them to bypass authentication remotely and access the vulnerable sites with admin-level privileges.
The flaw, tracked as CVE-2026-23550, affects versions 2.5.1 and older of Modular DS, a management plugin that allows managing multiple WordPress sites from a single interface.
The plugin lets owners, developers, or hosting providers remotely monitor sites, perform updates, manage users, access server information, run maintenance tasks, and log in. Modular DS has more than 40,000 installations.
According to Patchstack researchers, CVE-2026-23550 is currently exploited in the wild, the first attacks being detected on January 13, around 02:00 UTC.
Patchstack confirmed the flaw and reached out to the vendor on the following day. Modular DS released a fix in version 2.5.2, only a few hours later.