Modular DS WordPress plugin unauthenticated privilege escalation (CVE-2026-23550)
Vulnerability
Summary
Hide ▲
Show ▼
Active exploitation of CVE-2026-23550 in the Modular DS WordPress plugin puts all versions through 2.5.1 at risk of unauthenticated privilege escalation. The flaw can give attackers administrator access and lead to full site compromise, while 2.5.2 fixes the issue. Exploitation was observed in the wild on January 13, 2026 using /api/modular-connector/login/ to try to create an admin user.
Related Happenings
PhpBB authentication bypass flaw
Vulnerability
H score33
First: 09.06.2026 17:00
Last: 09.06.2026 17:00
Sources 1
About this happening:
A critical **phpBB authentication bypass** now exposes **versions up to 3.3.16** and the **4.0.0 alpha** to **account takeover**, including administrators, through **one unauthent...
PhpBB authentication bypass flaw
VulnerabilityAbout this happening: A critical **phpBB authentication bypass** now exposes **versions up to 3.3.16** and the **4.0.0 alpha** to **account takeover**, including administrators, through **one unauthent...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
Vulnerability
H score72
First: 16.05.2026 18:20
Last: 16.05.2026 18:20
Sources 1
About this happening:
**Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw
VulnerabilityAbout this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/Service
H score16
First: 15.04.2026 23:33
Last: 15.04.2026 23:33
Sources 1
About this happening:
**WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
WordPress.org closes compromised EssentialPlugin plugins with forced update
Security Tool/ServiceAbout this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...
OpenClaw ClawJacked localhost WebSocket brute-force security flaw
Vulnerability
H score37
First: 01.03.2026 23:44
Last: 01.03.2026 23:44
Sources 1
About this happening:
**OpenClaw**’s **ClawJacked** vulnerability allowed a **malicious website** to brute-force a **localhost WebSocket** connection and take control of a local instance, putting **ses...
OpenClaw ClawJacked localhost WebSocket brute-force security flaw
VulnerabilityAbout this happening: **OpenClaw**’s **ClawJacked** vulnerability allowed a **malicious website** to brute-force a **localhost WebSocket** connection and take control of a local instance, putting **ses...
Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)
Advisory/Mitigation
H score61
First: 03.02.2026 18:15
Last: 03.02.2026 18:15
Sources 1
About this happening:
**Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...
Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)
Advisory/MitigationAbout this happening: **Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...
Timeline
-
15.01.2026 22:49 1 articles · 5mo ago
Modular DS releases version 2.5.2 fix for CVE-2026-23550
Mitigation Patch UpdateModular DS released version 2.5.2 to fix CVE-2026-23550 after Patchstack confirmed the flaw and contacted the vendor. The update removed URL-based route matching, drove routing entirely through validated filter logic, added a default 404 route, and made unrecognized requests fail safely.
Show sources
- Hackers exploit Modular DS WordPress plugin flaw for admin access — www.bleepingcomputer.com — 15.01.2026 22:49
-
15.01.2026 17:31 1 articles · 5mo ago
Modular DS WordPress plugin unauthenticated privilege escalation (CVE-2026-23550)
Initial DisclosureBy **January 13, 2026**, attackers were sending **GET** requests to **/api/modular-connector/login/** to try to create admin users through **CVE-2026-23550**. The flaw stems from a bypass of the plugin's authentication routing and can turn a low-friction request into **administrator access**.
Show sources
- Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access — thehackernews.com — 15.01.2026 17:31