Modular DS Security Release: Modular Connector 2.5.2

Version 2.5.2 of the Modular DS Connector plugin, released on January 14, 2026, includes an important security fix addressing a critical vulnerability.

We strongly recommend that all Modular DS installations ensure they are running this version as soon as possible and complete the following actions.

Recommended actions

To fully secure your sites, please carefully follow the steps below.

1. Update Modular Connector to version 2.5.2 (REQUIRED)

This step is mandatory.

From Modular DS:

• Check for updates in the Modular DS dashboard
• If the update does not appear, click the “Reload” button in the updater
• Some sites may take a few minutes to detect the update. Updates are being forced for all sites.

From WordPress admin:

• Go to Plugins → Installed Plugins
• Look for the Modular Connector update notification (if you are using white labeling, look for the custom plugin name you configured)
• Click “Update Now"

Via WP-CLI

• wp plugin update modular-connector

2. Review potential indicators of compromise (HIGHLY RECOMMENDED)

After updating the plugin:

• Review your server access logs for suspicious requests, like requests coming from automated scanners (for example: Python-urllib, curl, Go-http-client), which may indicate attempted exploitation.
• Check your WordPress admin users. In some cases, compromised sites may show newly created administrator accounts using generic usernames or email addresses (for example, addresses ending in @example.com). If you find any suspicious or unfamiliar user accounts, remove them immediately and regenerate all relevant credentials.

If you don't find any suspicious activity, it is very likely that your site has not been affected.

If you do detect anything unusual, such as suspicious requests, unexpected admin accounts, or unknown changes, completing the additional security steps outlined below is highly recommended.

Additional steps

1. Regenerate WordPress salts (HIGHLY RECOMMENDED)

WordPress salts are security keys used to encrypt information stored in cookies. Regenerating them will invalidate all existing sessions and help prevent unauthorized access.

Steps:

1. Go to https://api.wordpress.org/secret-key/1.1/salt/
2. Copy all generated values
3. Open your wp-config.php file
4. Locate the section “Authentication Unique Keys and Salts”

5. Replace the existing keys with the new ones
6. Save the file

Example:

define('AUTH_KEY', 'your-unique-phrase-here');

define('SECURE_AUTH_KEY', 'your-unique-phrase-here');

define('LOGGED_IN_KEY', 'your-unique-phrase-here');

define('NONCE_KEY', 'your-unique-phrase-here');

define('AUTH_SALT', 'your-unique-phrase-here');

define('SECURE_AUTH_SALT', 'your-unique-phrase-here');

define('LOGGED_IN_SALT', 'your-unique-phrase-here');

define('NONCE_SALT', 'your-unique-phrase-here');

2. Regenerate OAuth credentials (RECOMMENDED)

To ensure maximum security, we recommend regenerating your OAuth credentials and reconnecting your sites.

Steps:

1. Log in to your Modular DS account
2. Go to your site and open “Site settings”

3. Scroll down to the “Connection keys” section
4. Click “Regenerate keys”

5. Reconnect the website using the new credentials

3. Scan your site for malicious plugins or files (HIGHLY RECOMMENDED)

We recommend scanning affected sites using a security or malware detection tool (such as Imunify or similar solutions).

This can help identify any malicious plugins, files, or code that may have been added to the site as a result of unauthorized access.

Security fix details

Modular DS has remediated an issue where the internal routing system used overly permissive path matching. Under certain conditions, this could have allowed unauthenticated attackers to bypass authentication checks and gain elevated privileges on WordPress sites running the plugin.

• Impacted Versions: Modular Connector: all versions up to and including 2.5.1
• Fixed Version: 2.5.2
• CVSS: 10.0 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
• CWE: CWE-284: Improper Access Control
• OWASP Top 10: A01:2021 \- Broken Access Control

Thanks to our partner Patchstack for coordinating the responsible disclosure of this vulnerability.

Technical summary

The vulnerability was located in a custom routing layer extending Laravel’s route matching functionality. The route matching logic was overly permissive, allowing crafted requests to match protected endpoints without proper authentication validation.

Attack vector: An unauthenticated remote attacker could send specially crafted HTTP requests to login related endpoints with arbitrary path segments, bypassing authentication middleware and potentially gaining administrative access.

Timeline

• January 14, 2026, 08:04 UTC: Vulnerability reported by Patchstack
• January 14, 2026, 08:30 UTC: Security advisory published
• January 14, 2026, 09:26 UTC: Version 2.5.2 released
• January 14, 2026, 10:28 UTC: Patchstack confirmed the vulnerability has been resolved

Our commitment to security

We take security incidents very seriously. We understand that this issue may have caused disruption, and we sincerely apologize for the inconvenience it may have caused. As soon as we were made aware of the vulnerability, we worked closely with Patchstack to analyze the issue, develop a fix, and release it as quickly as possible.

Security is a core priority at Modular DS. Our infrastructure is cloud-based and supported by regular security audits. In parallel with releasing this fix, we are actively reviewing our internal processes and implementing additional safeguards to reduce the risk of similar issues occurring in the future.

References

• Patchstack Vulnerability Database
• CVE-2026-23550
• Modular Connector on WordPress.org
• WordPress Salt Generator

Contact

If you have any questions or need assistance, please contact us at help@modulards.com.

Updated on: 14/01/2026