CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Unauthenticated Privilege Escalation in WordPress Modular DS Plugin Exploited in the Wild

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical vulnerability (CVE-2026-23550, CVSS 10.0) in the WordPress Modular DS plugin, affecting versions up to 2.5.1, is being actively exploited to gain admin access. The flaw allows unauthenticated attackers to bypass authentication and escalate privileges, potentially leading to full site compromise. The issue stems from a combination of design choices, including permissive direct request handling and weak authentication mechanisms. The vulnerability was patched in version 2.5.2, and attacks were first detected on January 13, 2026, originating from specific IP addresses. The Modular DS plugin has over 40,000 installations. Users are urged to update immediately to mitigate the risk.

Timeline

  1. 15.01.2026 17:31 2 articles · 1d ago

    Active Exploitation of CVE-2026-23550 in WordPress Modular DS Plugin

    On January 13, 2026, attacks exploiting CVE-2026-23550 in the WordPress Modular DS plugin were first detected. The vulnerability allows unauthenticated attackers to bypass authentication and gain admin access, potentially leading to full site compromise. The flaw has been patched in version 2.5.2, and users are urged to update immediately. The Modular DS plugin has over 40,000 installations. The vulnerability is caused by accepting requests as trusted without a cryptographic check when 'direct request' mode is activated, exposing multiple sensitive routes and activating an automatic admin login fallback mechanism. The patch in version 2.5.2 removed URL-based route matching and added a default 404 route, along with validated filter logic and a safe failure mode for unrecognized requests.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Sneeit WordPress RCE Exploited in Active Attacks

A critical remote code execution (RCE) vulnerability (CVE-2025-6389) in the Sneeit Framework plugin for WordPress is being actively exploited in the wild. The flaw, affecting versions up to 8.3, allows unauthenticated attackers to execute arbitrary PHP functions, including creating malicious administrator accounts and injecting backdoors. Exploitation began on November 24, 2025, with over 131,000 attack attempts blocked by Wordfence. Additionally, a critical flaw in ICTBroadcast (CVE-2025-2611) is being exploited to deliver the Frost DDoS botnet. The botnet uses multiple exploits to spread and conduct targeted DDoS attacks, with evidence pointing to a small, targeted operation.

Open in new tab

Post SMTP Plugin Vulnerability Exploited to Hijack WordPress Admin Accounts

A critical vulnerability in the Post SMTP WordPress plugin, tracked as CVE-2025-11833, is being actively exploited to hijack administrator accounts. The flaw allows unauthenticated attackers to read logged emails, including password reset messages, leading to account takeover and full site compromise. The vulnerability affects all versions of Post SMTP from 3.6.0 and older, with over 400,000 downloads. The issue was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then. The Post SMTP plugin is a popular email delivery solution for WordPress. The flaw allows unauthenticated attackers to read arbitrary logged emails, including password reset messages. The vulnerability was reported on October 11 and patched on October 29. However, as of November 4, at least 210,000 sites remain vulnerable. Exploitation attempts began on November 1, with over 4,500 blocked attempts since then.

Open in new tab

JobMonster WordPress Theme Authentication Bypass Exploits

Threat actors are actively exploiting a critical authentication bypass vulnerability (CVE-2025-5397) in the JobMonster WordPress theme. This flaw allows unauthenticated attackers to hijack administrator accounts if social login is enabled. The vulnerability affects all versions up to 4.8.1 and has been patched in version 4.8.2. The JobMonster theme is used by job listing sites and recruitment portals, with over 5,500 sales on Envato. The flaw is due to improper verification of user identity in the check_login() function, enabling attackers to bypass standard authentication. To mitigate the risk, users are advised to update to the latest version, disable social login, enable two-factor authentication, and monitor access logs for suspicious activity.

Open in new tab

Critical vulnerabilities in Elementor King Addons plugin affect 10,000 WordPress sites

The Elementor King Addons plugin, used by over 10,000 WordPress sites, has two unauthenticated critical vulnerabilities. These flaws can lead to full site takeovers. The vulnerabilities include an arbitrary file upload flaw (CVE-2025-6327) and a privilege escalation issue (CVE-2025-6325). The plugin's vendor has released version 51.1.37 to address these issues. The arbitrary file upload vulnerability allows attackers to place files in web-accessible directories due to improper nonce handling and file validation. The privilege escalation flaw permits attackers to create administrator accounts by exploiting the registration endpoint. A critical security flaw, CVE-2025-8489 (CVSS score: 9.8), is under active exploitation, allowing unauthenticated attackers to grant themselves administrative privileges. The vulnerability affects versions from 24.12.92 through 51.1.14 and was patched in version 51.1.35 released on September 25, 2025. Site administrators should update the plugin immediately, audit their environments for any suspicious admin users, and monitor for any signs of abnormal activity. The flaw in the plugin’s registration handler allows anyone signing up to specify their user role on the website, including the administrator role, without enforcing any restrictions. Attackers send a crafted 'admin-ajax.php' request specifying 'user_role=administrator,' to create rogue admin accounts on targeted sites. The peak in exploitation activity occurred between November 9 and 10, with two IP addresses being the most active: 45.61.157.120 (28,900 attempts) and 2602:fa59:3:424::1 (16,900 attempts). Wordfence provides a list of offensive IP addresses and recommends that website administrators look for them in the log files.

Open in new tab

Active exploitation of authentication bypass in Service Finder WordPress theme

Threat actors are actively exploiting a critical vulnerability in the Service Finder WordPress theme, allowing them to bypass authentication and gain administrative access. The flaw, tracked as CVE-2025-5947, affects versions 6.0 and older and has been exploited since September 2025. The vulnerability is present in the Service Finder Bookings plugin bundled with the Service Finder theme. Over 13,800 exploitation attempts have been recorded since August 2025, with a surge of over 1,500 attempts daily in late September. The flaw affects over 6,100 customers using the theme. Administrators are advised to update to version 6.1 or stop using the theme to mitigate the risk.

Open in new tab