Find notable cyber news and cases, enriched with sources, timelines, and signals.

Modular DS WordPress plugin unauthenticated privilege escalation (CVE-2026-23550)

Vulnerability
First reported
Last updated
Happening score
H score 14
2 unique sources, 2 articles

Summary

Hide ▲

Active exploitation of CVE-2026-23550 in the Modular DS WordPress plugin puts all versions through 2.5.1 at risk of unauthenticated privilege escalation. The flaw can give attackers administrator access and lead to full site compromise, while 2.5.2 fixes the issue. Exploitation was observed in the wild on January 13, 2026 using /api/modular-connector/login/ to try to create an admin user.

Related Happenings

PhpBB authentication bypass flaw

Vulnerability
H score33 First: 09.06.2026 17:00 Last: 09.06.2026 17:00 Sources 1

About this happening: A critical **phpBB authentication bypass** now exposes **versions up to 3.3.16** and the **4.0.0 alpha** to **account takeover**, including administrators, through **one unauthent...

Funnel Builder plugin WordPress arbitrary JavaScript injection actively exploited security flaw

Vulnerability
H score72 First: 16.05.2026 18:20 Last: 16.05.2026 18:20 Sources 1

About this happening: **Funnel Builder** for **WordPress** is under **active exploitation** for arbitrary JavaScript injection into **WooCommerce checkout pages**, creating payment-skimming risk across...

WordPress.org closes compromised EssentialPlugin plugins with forced update

Security Tool/Service
H score16 First: 15.04.2026 23:33 Last: 15.04.2026 23:33 Sources 1

About this happening: **WordPress.org** closed the compromised **EssentialPlugin** plugins and forced an update, changing how affected sites received and ran the package. The move mattered because the...

OpenClaw ClawJacked localhost WebSocket brute-force security flaw

Vulnerability
H score37 First: 01.03.2026 23:44 Last: 01.03.2026 23:44 Sources 1

About this happening: **OpenClaw**’s **ClawJacked** vulnerability allowed a **malicious website** to brute-force a **localhost WebSocket** connection and take control of a local instance, putting **ses...

Quiz and Survey Master SQL injection mitigation (CVE-2025-67987)

Advisory/Mitigation
H score61 First: 03.02.2026 18:15 Last: 03.02.2026 18:15 Sources 1

About this happening: **Patchstack** published mitigation guidance for **CVE-2025-67987**, directing administrators to update **Quiz and Survey Master** to **version 10.3.2** to close a **SQL injection...

Timeline

  1. 15.01.2026 22:49 1 articles · 5mo ago

    Modular DS releases version 2.5.2 fix for CVE-2026-23550

    Mitigation Patch Update

    Modular DS released version 2.5.2 to fix CVE-2026-23550 after Patchstack confirmed the flaw and contacted the vendor. The update removed URL-based route matching, drove routing entirely through validated filter logic, added a default 404 route, and made unrecognized requests fail safely.

    Show sources
  2. 15.01.2026 17:31 1 articles · 5mo ago

    Modular DS WordPress plugin unauthenticated privilege escalation (CVE-2026-23550)

    Initial Disclosure

    By **January 13, 2026**, attackers were sending **GET** requests to **/api/modular-connector/login/** to try to create admin users through **CVE-2026-23550**. The flaw stems from a bypass of the plugin's authentication routing and can turn a low-friction request into **administrator access**.

    Show sources