WordPress plugins with critical vulnerabilities, some already under attack
Security vulnerabilities with critical risk ratings are present in widespread WordPress plugins. One is already being attacked.
(Image: heise medien)
Critical security vulnerabilities in two popular WordPress plugins are endangering CMS instances online. Attackers are already exploiting one of the vulnerabilities in the wild. Anyone using WordPress should check if the vulnerable plugins are installed and update them promptly.
The Modular DS plugin has over 40,000 active installations, according to IT security researchers at Patchstack in their security advisory. It is used to manage multiple WordPress websites, offering monitoring, updates, and remote task management. In version 2.5.1 and older of Modular DS, a vulnerability allows for privilege escalation. Several issues can be chained together, such as bypassing authentication, automatic admin login, and direct route selection (CVE-2026-23800, CVSS 10, risk “critical”).
Patchstack discusses the details in their advisory. Since last Friday, IT researchers have also been observing active attacks exploiting these vulnerabilities. The analysis also names some indicators of compromise (IOCs). These include HTTP GET requests to the API endpoint “/api/modular-connector/login/“ with the origin parameter “mo” and type “foo.” Attackers attempt to create a “PoC Admin” access with WordPress administrator privileges, where the username contains “admin” and an invalid email address is used. Patchstack has also been able to link three IP addresses to the attacks. Further attacks target “/?rest_route=/wp/v2/users&origin=mo&type=x”, often with the user agent as “firefox” and “username” containing “backup”. Version 2.6.0 or newer fixes the security vulnerability.
More Widespread WordPress Plugin
The WordPress plugin “Advanced Custom Fields: Extended” even boasts over 100,000 active installations. This is explained by Wordfence in a security advisory. Up to version 0.9.2.1 of the plugin, unauthenticated attackers can specify the “administrator” role during registration, thereby gaining full access to the instance, as the “insert_user” function does not impose any restrictions. IT security researchers mention that this can only be exploited if “role” is assigned to the custom field (CVE-2025-14533, CVSS 9.8, risk “critical”). The problem is resolved from version 0.9.2.2 of the plugin onwards.
Videos by heise
In November, IT security researchers warned of a vulnerability in the WordPress plugin AI Engine. This also is used on over 100,000 WordPress instances. Attackers could exploit the security vulnerability to escalate their privileges to admin and thus take over the instance.
(dmk)
