Hackers exploit Modular DS WordPress plugin flaw for admin access

Hackers exploit Modular DS WordPress plugin flaw for admin access

Category: <h2 class="cBlue inline m-r-10">Arti<span class="cOrange">cles</span></h2>

Hackers exploit Modular DS WordPress plugin flaw for admin access

WordPress is an open-source Content Management System (CMS) designed for building and managing websites with ease, requiring minimal programming knowledge. It is highly versatile, supporting various website types such as corporate sites, news blogs, and online stores. WordPress offers extensive customization through themes and plugins, allowing users to add specific functionalities as needed. The system is developed using PHP and utilizes a MySQL database.

Incident :

  A cyberattack has been detected exploiting a vulnerability in the Modular DS plugin for WordPress, which allows attackers to remotely bypass authentication and gain full control of affected websites with administrator-level privileges without requiring a legitimate login.

  The vulnerability, assigned CVE-2026-23550, affects Modular DS version 2.5.1 and earlier. Modular DS is a management plugin designed to centrally manage multiple WordPress websites and currently has more than 40,000 active

  installations.Researchers from Patchstack reported that the vulnerability is being actively exploited in the wild, with the first attack detected on January 13 at approximately 21:00. The issue stems from multiple design and implementation flaws, particularly the “direct request” mode, which treats incoming requests as trusted without performing secure cryptographic validation of their origin.

  When no User ID is provided in the request body, the plugin automatically selects an existing Admin or Super Admin account within the website and logs in using that account. This behavior enables attackers to immediately escalate privileges and fully compromise the affected site, potentially leading to data modification or destruction, the injection of malicious code, theft of user information, or the use of the compromised website as a launch point for further attacks.

Solution :

1.Immediately update the Modular DS plugin to version 2.5.2 or later to remediate CVE-2026-23550.

2.Review server access logs to identify any suspicious or abnormal requests.

3.Audit administrator accounts (Admin / Super Admin) to ensure no unauthorized users have been added.

4.Remove or disable any unknown or unauthorized administrator accounts immediately.Regenerate all WordPress salts after updating the plugin to invalidate existing sessions and authentication tokens.

The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
061 387 9439 (Ms.Sirilak)
092 257 6902 (Ms.Narusorn)
063 197 7510 (Mr.Yanotai)
065 725 7405 (Ms.Nattharini)
065 725 7405 (Ms.Donraya)

References :

Weekly Interesting CVE

NO.

CVE Name

Published Date

Last Update

Device/Appplication/OS Target

Attack Type

CVSS
Severity Rating

Detail

Solution

Reference
1

CVE-2025-25249

13/1/2026

16/01/2026

Fortinet FortiOS, FortiSASE, and FortiSwitchManager

Execute unauthorized code or commands

9.8

A heap-based buffer overflow vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiOS 6.4.0 through 6.4.16, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows attacker to execute unauthorized code or commands via specially crafted packets
  1. FortiOS 7.6 -> Upgrade to 7.6.4 or above
    2. FortiOS 7.4 -> Upgrade to 7.4.9 or above
    3. FortiOS 7.2 -> Upgrade to 7.2.12 or above
    4. FortiOS 7.0 -> Upgrade to 7.0.18 or above
    5. FortiOS 6.4 -> Upgrade to upcoming 6.4.17 or above
    6. FortiSwitchManager 7.2 -> Upgrade to 7.2.7 or above
    7. FortiSwitchManager 7.0 -> Upgrade to 7.0.6 or above

https://nvd.nist.gov/vuln/detail/CVE-2025-25249

 
2

CVE-2025-61973

15/01/2026

16/01/2026

Epic Game Store
Version 14.6.2.0

Uncontrolled Search Path

8.8

A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges.

No mitigation known

https://nvd.nist.gov/vuln/detail/CVE-2025-61973
3

CVE-2026-21913

15/01/2026

16/01/2569

Junos OS on EX4000-48T, EX4000-48P and EX4000-48MP: * 24.4 versions before 24.4R2, * 25.2 versions before 25.2R1-S2, 25.2R2

Incorrect Initialization of Resource

8.7

An Incorrect Initialization of Resource vulnerability in the Internal Device Manager (IDM) of Juniper Networks Junos OS on EX4000 models allows an unauthenticated, network-based attacker to cause a Denial-of-Service (DoS). On EX4000 models with 48 ports (EX4000-48T, EX4000-48P, EX4000-48MP) a high volume of traffic destined to the device will cause an FXPC crash and restart, which leads to a complete service outage until the device has automatically restarted.

The following software releases have been updated to resolve this specific issue: 24.4R2, 25.2R1-S2, 25.2R2, 25.4R1, and all subsequent releases.

https://nvd.nist.gov/vuln/detail/CVE-2026-21913
 4

CVE-2021-47775

15/01/2026

16/01/2026

Litexmedia YouTube Video Grabber
Version 1.9.9.1

Out-of-Bounds Write

8.4

YouTube Video Grabber, now referred to as YouTube Downloader, 1.9.9.1 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the Structured Exception Handler. Attackers can craft a malicious payload of 712 bytes with SEH manipulation to trigger a bind shell connection on a specified local port.

Update to version 3.9.9.92

https://nvd.nist.gov/vuln/detail/CVE-2021-47775
5

CVE-2026-20960

16/01/2026

17/01/2026

Microsoft Power Apps
Before Patch 25121

Improper Authorization

8.0

Improper authorization in Microsoft Power Apps allows an authorized attacker to execute code over a network.

Update to patch 25121

https://app.opencve.io/cve/CVE-2026-0592

Malware News or Campaign IOC/IOA | EN

No

Campaign Name

Detection Date

Attack

Type

  

Description

  

Mitigation/Remediation
1

Jordanian pleads guilty to selling access to 50 corporate networks​

19/01/2026​

Access Broker​

/Initial Access​

A Jordanian man named Feras Khalil Ahmad Albashiti, known online as “r1z”, pleaded guilty to selling access to the networks of more than 50 companies. He acted as an access broker, offering stolen credentials and system access for sale on underground forums—dark markets where cybercriminals exchange tools and entry points. His actions were not direct attacks but rather opened the door for other attackers to infiltrate corporate systems more easily.Albashiti was arrested in Georgia and extradited to the United States to face justice. He pleaded guilty before a court in New Jersey, with sentencing scheduled for May 2026. This case highlights international cooperation in combating borderless cybercrime and underscores that selling corporate access has become a structured illegal business.The key lesson is that organizations must prioritize protecting access credentials and continuously monitor for abnormal behavior. Even if they are not directly attacked, leaked credentials sold on dark markets can lead to severe and uncontrollable breaches in the future.​
  • Strict credential management​
  • Strong access control policies​
  • Configure alerts for brute force attempts or repeated credential use from multiple sources​
  • Train employees to recognize phishing and social engineering, which are primary causes of credential leaks​

Ref:https://www.bleepingcomputer.com/news/security/jordanian-pleads-guilty-to-selling-access-to-50-corporate-networks/

27 January 2026

Viewed 110 time

Engine by shopup.com