A serious security flaw has been found in the Modular DS WordPress plugin. The bug allows attackers to create new administrator accounts and take full control of any website using the plugin. The issue was discovered and reported in late December 2025, and a patch is now available.
What the Vulnerability Allows
- An attacker can send a specially crafted request to the plugin’s registration or reset endpoint.
- This creates a new user with administrator privileges without any verification.
- No authentication is required – the exploit works even on sites where registration is closed.
- Once the admin account is created, the attacker can log in, change settings, install malicious plugins, steal data, or deface the site.
The vulnerability is tracked as CVE-2025-XXXX (exact CVE number pending publication) and carries a CVSS score of 9.8 (Critical).
Affected Versions
- Modular DS versions 1.0.0 to 1.3.7 are vulnerable.
The flaw was introduced in the initial release and remained until the patch.
Official Fix
The plugin author released version 1.3.8 on January 10, 2026. This version:
- Adds proper capability checks
- Removes the vulnerable endpoint
- Hardens user creation functions
All users must update immediately.
How to Protect Your Site Right Now
- Update the Plugin Immediately
- Go to Plugins → Installed Plugins in your WordPress dashboard.
- Find Modular DS, click Update Now to version 1.3.8 or higher.
- If You Cannot Update Yet
- Deactivate and delete the plugin completely (backup your site first).
- Or temporarily disable user registration:
Settings → General → Membership → Uncheck “Anyone can register”
- Check for Unauthorized Admin Accounts
- Go to Users → All Users
- Sort by Registered date (newest first)
- Look for any unfamiliar admin-level accounts created recently
- Delete suspicious users and change passwords for all admins
- Scan Your Site
- Use free tools like Wordfence, Sucuri SiteCheck, or MalCare
- Run a full malware scan
- Look especially for new files in /wp-content/plugins/modular-ds/
- Additional Hardening Steps
- Change all admin passwords (use strong, unique ones)
- Enable two-factor authentication (2FA) on all admin accounts
- Install a security plugin (Wordfence, iThemes Security, or Sucuri)
- Limit login attempts
- Block XML-RPC if you don’t use it
- Keep WordPress core, themes, and all plugins updated
Timeline Summary
- Vulnerability discovered: Late December 2025
- Public disclosure & patch released: January 10, 2026
- Exploit code already circulating on hacker forums (as of Jan 14)
- Update now – the window to fix this quietly is closing fast
If you use Modular DS on any site, treat this as urgent. Update today, check for rogue admin accounts, and scan for backdoors. Better safe than sorry.
Via: Securityaffairs
