Description
Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.
Published: 2026-01-14
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

An Incorrect Privilege Assignment flaw in the Modular DS WordPress plugin allows an attacker to increase their level of access beyond what is intended. The weakness, identified as CWE‑266, can enable an attacker to gain administrative privileges within the WordPress system, compromising confidentiality, integrity, and availability of site content and configuration.

Affected Systems

The vulnerability impacts the Modular DS WordPress plugin, specifically versions up to and including 2.5.1. All installations of the plugin in this version range are potentially exposed.

Risk and Exploitability

The exploit probability is very low, with an EPSS score of less than 1%, and the issue is not listed in CISA’s Known Exploited Vulnerabilities catalog. An attacker would need some level of access to the WordPress installation, likely through authenticated requests that trigger the plugin’s privilege assignment mechanisms, to elevate their privileges.

Generated by OpenCVE AI on April 16, 2026 at 18:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Modular DS plugin to the latest version, which removes the privilege assignment flaw.
  • If an immediate update is not possible, temporarily disable the plugin until a patched version is available.
  • Review and audit WordPress user roles and permissions to confirm no unintended administrative rights have been granted during the incident.

Generated by OpenCVE AI on April 16, 2026 at 18:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. Incorrect Privilege Assignment vulnerability in Modular DS Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from n/a through <= 2.5.1.
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Modular
Modular modular
Wordpress
Wordpress wordpress
Vendors & Products Modular
Modular modular
Wordpress
Wordpress wordpress

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
References

Wed, 14 Jan 2026 09:00:00 +0000

Type Values Removed Values Added
Description Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1.
Title WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Modular Modular
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:03.943Z

Reserved: 2026-01-14T08:36:07.869Z

Link: CVE-2026-23550

cve-icon Vulnrichment

Updated: 2026-01-14T16:38:52.618Z

cve-icon NVD

Status : Deferred

Published: 2026-01-14T09:16:02.520

Modified: 2026-04-23T15:36:39.077

Link: CVE-2026-23550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses