WordPress Plugin Vulnerabilities

Modular DS 2.5.2 - Unauthenticated Privilege Escalation

Description

The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in version 2.5.2. This makes it possible for unauthenticated attackers to escalate their privileges to that of an administrator.

Affects Plugins

Plugin icon
modular-connector
Fixed in 2.6.0

References

CVE
CVE-2026-23800
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8bd035bf-003f-4f97-be76-7b1c50727d21

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Dave Jong
Verified
No
WPVDB ID
4ff60a15-3f1c-4498-884f-bf81d58f3ceb

Timeline

Publicly Published
2026-01-16 (about 3 months ago)
Added
2026-01-19 (about 3 months ago)
Last Updated
2026-01-19 (about 3 months ago)

Other

Published
Title
Published
2025-07-28
Title
Custom API for WP < 4.2.3 - Subscriber+ Privilege Escalation
Published
2019-12-27
Title
GDPR Cookie Compliance <= 4.0.2 - Authenticated Settings Reset
Published
2026-01-19
Title
Advanced Custom Fields: Extended < 0.9.2.2 - Unauthenticated Privilege Escalation
Published
2025-09-23
Title
Goodlayers Core < 2.1.7 - Authenticated (Contributor+) Privilege Escalation
Published
2025-02-26
Title
Bricksbuilder < 1.9.7 - Authenticated (Contributor+) Privilege Escalation via create_autosave