CVE-2026-23550 Wordpress Modular DS flaw

Recent Stories

January 30, 2026

Jan 30
CVE-2026-23550 Wordpress Modular DS flaw
Jan 30
CVE-2025-14847 MongoDB

December 5, 2025

Dec 05
Critical Vulnerabilities in React and Next.js
News Archive
January 30, 2026

To the UCB-Security community, 

This is a notice from the Information Security Office to alert you to a critical vulnerability that impacts WordPress servers using the Modular DS plugin. Please share this alert internally with IT admins and service owners who run the product so they are aware and know what actions to take to address this vulnerability.

SUMMARY

ISO is aware of a critical vulnerability that affects the Modular DS WordPress plugin[1]. This vulnerability, CVE-2026-23550, allows unauthenticated users to gain Administrator privileges due to a flaw in the “direct request” mode of the plugin.

IMPACT

Unauthorized users can become administrators of the sites.

WHAT IS VULNERABLE

WordPress sites running Modular DS management plugin version 2.5.1 and older .

RECOMMENDATIONS

  1. Upgrade any affected WordPress sites to version 2.5.2[2] or newer ASAP.

  2. Review server access logs for suspicious requests.

  3. Check Admin users for unauthorized additions.

REFERENCES

  1. https://www.bleepingcomputer.com/news/security/hackers-exploit-modular-ds-wordpress-plugin-flaw-for-admin-access/

  2. https://help.modulards.com/en/article/modular-ds-security-release-modular-connector-252-dm3mv0/

If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.