{"id":78,"date":"2026-01-19T15:50:13","date_gmt":"2026-01-19T14:50:13","guid":{"rendered":"https:\/\/helloblog.io\/cs\/kriticka-zranitelnost-wordpress-modular-ds-aktivne-zneuzivana-admin\/"},"modified":"2026-01-20T06:32:57","modified_gmt":"2026-01-20T05:32:57","slug":"kriticka-zranitelnost-wordpress-modular-ds-aktivne-zneuzivana-admin","status":"publish","type":"post","link":"https:\/\/helloblog.io\/cs\/kriticka-zranitelnost-wordpress-modular-ds-aktivne-zneuzivana-admin\/","title":{"rendered":"Kritick\u00e1 zranitelnost ve WordPress pluginu Modular DS se aktivn\u011b zneu\u017e\u00edv\u00e1: neautentizovan\u00e9 z\u00edsk\u00e1n\u00ed admina"},"content":{"rendered":"\n

V bezpe\u010dnosti WordPressu se ob\u010das objev\u00ed chyby, kter\u00e9 nejsou \u201ejen\u201c o XSS nebo \u00faniku dat, ale rovnou o p\u0159evzet\u00ed cel\u00e9ho webu. P\u0159esn\u011b do t\u00e9hle kategorie spad\u00e1 \u010derstv\u011b popsan\u00e1 zranitelnost v pluginu Modular DS<\/strong> \u2013 podle Patchstacku u\u017e je aktivn\u011b zneu\u017e\u00edvan\u00e1<\/strong> a vede k neautentizovan\u00e9 eskalaci opr\u00e1vn\u011bn\u00ed a\u017e na administr\u00e1tora<\/strong>.<\/p>\n\n\n\n

V \u010dl\u00e1nku rozep\u00ed\u0161u, co se technicky d\u011bje, koho se to t\u00fdk\u00e1, jak poznat mo\u017en\u00e9 kompromitov\u00e1n\u00ed a jak\u00e9 kroky d\u00e1vaj\u00ed smysl bez zbyte\u010dn\u00e9 paniky, ale z\u00e1rove\u0148 rychle.<\/p>\n\n\n\n

Co se stalo: CVE-2026-23550 (CVSS 10.0) v Modular DS<\/h2>\n\n\n\n

Zranitelnost je evidovan\u00e1 jako CVE-2026-23550<\/strong> a m\u00e1 CVSS 10.0<\/strong> (maximum). Patchstack ji popisuje jako unauthenticated privilege escalation<\/strong> \u2013 tedy situaci, kdy se \u00fato\u010dn\u00edk bez p\u0159ihl\u00e1\u0161en\u00ed dostane k akc\u00edm, kter\u00e9 by m\u011bly b\u00fdt dostupn\u00e9 jen autorizovan\u00fdm u\u017eivatel\u016fm, a ve v\u00fdsledku si vyrob\u00ed admin p\u0159\u00edstup.<\/p>\n\n\n\n

Dopad se t\u00fdk\u00e1 v\u0161ech verz\u00ed do 2.5.1 v\u010detn\u011b<\/strong>. Oprava je podle vydan\u00fdch informac\u00ed v Modular DS 2.5.2<\/strong>. Plugin m\u00e1 p\u0159es 40 000 aktivn\u00edch instalac\u00ed<\/strong>, tak\u017ee z pohledu plo\u0161n\u00e9ho skenov\u00e1n\u00ed je to hodn\u011b atraktivn\u00ed c\u00edl.<\/p>\n\n\n\n

\n\n

Rychl\u00e9 doporu\u010den\u00ed<\/h4>\n\n\n

Pokud Modular DS pou\u017e\u00edv\u00e1\u0161, prioritn\u011b ov\u011b\u0159 verzi a aktualizuj minim\u00e1ln\u011b na 2.5.2. Vzhledem k aktivn\u00edmu zneu\u017e\u00edv\u00e1n\u00ed ned\u00e1v\u00e1 smysl \u010dekat na \u201ea\u017e bude \u010das\u201c.<\/p>\n\n<\/div>\n\n\n\n

Technick\u00fd kontext: routov\u00e1n\u00ed pod \/api\/modular-connector\/ a \u201edirect request\u201c re\u017eim<\/h2>\n\n\n\n

Plugin vystavuje API endpointy pod prefixem \/api\/modular-connector\/<\/code><\/strong>. Sou\u010d\u00e1st\u00ed n\u00e1vrhu je routovac\u00ed vrstva, kter\u00e1 m\u00e1 \u201ecitliv\u00e9\u201c route schovat za autentiza\u010dn\u00ed bari\u00e9ru (n\u011bco jako middleware, kter\u00fd ov\u011b\u0159\u00ed, \u017ee vol\u00e1n\u00ed opravdu poch\u00e1z\u00ed z opr\u00e1vn\u011bn\u00e9ho zdroje).<\/p>\n\n\n\n

Podle Patchstacku ale existuje kombinace n\u00e1vrhov\u00fdch rozhodnut\u00ed, kter\u00e1 tuto ochranu rozbije. Kl\u00ed\u010dov\u00fd je tzv. \u201edirect request\u201c mode<\/strong> \u2013 re\u017eim, kdy plugin p\u0159ij\u00edm\u00e1 po\u017eadavky ozna\u010den\u00e9 jako \u201ep\u0159\u00edm\u00e9\u201c (direct), a podle v\u0161eho k nim p\u0159istupuje benevolentn\u011bji.<\/p>\n\n\n\n

Obejit\u00ed autentizace \u00fadajn\u011b nast\u00e1v\u00e1 ve chv\u00edli, kdy je direct request m\u00f3d povolen a \u00fato\u010dn\u00edk po\u0161le parametry origin=mo<\/code><\/strong> a type<\/code><\/strong> nastav\u00ed na libovolnou hodnotu (nap\u0159. origin=mo&type=xxx<\/code>). T\u00edm se po\u017eadavek za\u010dne tv\u00e1\u0159it jako \u201eModular direct request\u201c.<\/p>\n\n\n\n

\n\n

Pro\u010d je to nebezpe\u010dn\u00e9 i bez \u201ehackersk\u00fdch trik\u016f\u201c<\/h4>\n\n\n

Patchstack zmi\u0148uje, \u017ee mezi p\u0159\u00edchoz\u00edm requestem a Modular slu\u017ebou nen\u00ed v tomto toku kryptografick\u00e1 vazba. Pokud je web u\u017e d\u0159\u00edve p\u0159ipojen\u00fd k Modularu (tokeny existuj\u00ed\/obnovuj\u00ed se), \u00fato\u010dn\u00edk dok\u00e1\u017ee proj\u00edt auth vrstvou jen t\u00edm, \u017ee se tref\u00ed do parametr\u016f.<\/p>\n\n<\/div>\n\n\n\n

K \u010demu to vede: odhalen\u00ed chr\u00e1n\u011bn\u00fdch rout a admin login<\/h2>\n\n\n\n

Po obejit\u00ed autentizace se maj\u00ed zp\u0159\u00edstupnit r\u016fzn\u00e9 route, v\u010detn\u011b (podle Patchstacku) \/login\/<\/code><\/strong>, \/server-information\/<\/code><\/strong>, \/manager\/<\/code><\/strong> a \/backup\/<\/code><\/strong>. Praktick\u00fd dopad sah\u00e1 od vzd\u00e1len\u00e9ho p\u0159ihl\u00e1\u0161en\u00ed a\u017e po z\u00edsk\u00e1n\u00ed citliv\u00fdch informac\u00ed o syst\u00e9mu nebo u\u017eivatel\u00edch.<\/p>\n\n\n\n

Nejhor\u0161\u00ed \u010d\u00e1st je mo\u017enost zneu\u017e\u00edt route \/login\/{modular_request}<\/code><\/strong> a z\u00edskat t\u00edm administr\u00e1torsk\u00fd p\u0159\u00edstup<\/strong> \u2013 tedy \u010dist\u00e1 eskalace opr\u00e1vn\u011bn\u00ed bez p\u0159edchoz\u00ed autentizace. Jakmile \u00fato\u010dn\u00edk z\u00edsk\u00e1 admina, u\u017e je to standardn\u00ed sc\u00e9n\u00e1\u0159 pln\u00e9ho kompromitu: zm\u011bna nastaven\u00ed, injekce \u0161kodliv\u00e9ho k\u00f3du, instalace malwaru, p\u0159esm\u011brov\u00e1n\u00ed n\u00e1v\u0161t\u011bvn\u00edk\u016f na scam, vytvo\u0159en\u00ed dal\u0161\u00edch backdoor \u00fa\u010dt\u016f atd.<\/p>\n\n\n\n

Indicie z praxe: jak vypadaly prvn\u00ed \u00fatoky<\/h2>\n\n\n\n

Patchstack uv\u00e1d\u00ed, \u017ee \u00fatoky byly zaznamenan\u00e9 13. ledna 2026 okolo 02:00 UTC<\/strong>. V praxi m\u011blo j\u00edt o HTTP GET<\/strong> vol\u00e1n\u00ed na endpoint \/api\/modular-connector\/login\/<\/code><\/strong> a n\u00e1sledn\u00e9 pokusy o vytvo\u0159en\u00ed administr\u00e1torsk\u00e9ho u\u017eivatele<\/strong>.<\/p>\n\n\n\n

Jako zdrojov\u00e9 IP adresy byly v reportu zm\u00edn\u011bn\u00e9:<\/p>\n\n\n\n