{"id":95,"date":"2026-01-19T15:49:59","date_gmt":"2026-01-19T14:49:59","guid":{"rendered":"https:\/\/helloblog.io\/el\/cve-2026-23550-krisimo-keno-modular-ds-wordpress-admin-prosvasi-xoris-login\/"},"modified":"2026-01-20T06:38:52","modified_gmt":"2026-01-20T05:38:52","slug":"cve-2026-23550-krisimo-keno-modular-ds-wordpress-admin-prosvasi-xoris-login","status":"publish","type":"post","link":"https:\/\/helloblog.io\/el\/cve-2026-23550-krisimo-keno-modular-ds-wordpress-admin-prosvasi-xoris-login\/","title":{"rendered":"CVE-2026-23550: \u039a\u03c1\u03af\u03c3\u03b9\u03bc\u03bf \u03ba\u03b5\u03bd\u03cc \u03c3\u03c4\u03bf Modular DS \u03b3\u03b9\u03b1 WordPress \u03b4\u03af\u03bd\u03b5\u03b9 admin \u03c0\u03c1\u03cc\u03c3\u03b2\u03b1\u03c3\u03b7 \u03c7\u03c9\u03c1\u03af\u03c2 login (\u03ba\u03b1\u03b9 \u03ae\u03b4\u03b7 \u03b3\u03af\u03bd\u03b5\u03c4\u03b1\u03b9 exploit)"},"content":{"rendered":"\n<p>\u0391\u03bd \u03ad\u03c7\u03b5\u03b9\u03c2 sites \u03c0\u03bf\u03c5 \u03c7\u03c1\u03b7\u03c3\u03b9\u03bc\u03bf\u03c0\u03bf\u03b9\u03bf\u03cd\u03bd \u03c4\u03bf <strong>Modular DS<\/strong> (\u03ad\u03bd\u03b1 plugin \u03bc\u03b5 >40.000 \u03b5\u03bd\u03b5\u03c1\u03b3\u03ad\u03c2 \u03b5\u03b3\u03ba\u03b1\u03c4\u03b1\u03c3\u03c4\u03ac\u03c3\u03b5\u03b9\u03c2), \u03c5\u03c0\u03ac\u03c1\u03c7\u03b5\u03b9 \u03bb\u03cc\u03b3\u03bf\u03c2 \u03bd\u03b1 \u03c4\u03b1 \u03ba\u03bf\u03b9\u03c4\u03ac\u03be\u03b5\u03b9\u03c2 \u03ac\u03bc\u03b5\u03c3\u03b1: \u03bc\u03b9\u03b1 \u03b5\u03c5\u03c0\u03ac\u03b8\u03b5\u03b9\u03b1 \u03bc\u03ad\u03b3\u03b9\u03c3\u03c4\u03b7\u03c2 \u03c3\u03bf\u03b2\u03b1\u03c1\u03cc\u03c4\u03b7\u03c4\u03b1\u03c2 (<strong>CVE-2026-23550<\/strong>, <strong>CVSS 10.0<\/strong>) \u03b5\u03c0\u03b9\u03c4\u03c1\u03ad\u03c0\u03b5\u03b9 \u03c3\u03b5 \u03b5\u03c0\u03b9\u03c4\u03b9\u03b8\u03ad\u03bc\u03b5\u03bd\u03bf <em>\u03c7\u03c9\u03c1\u03af\u03c2<\/em> login \u03bd\u03b1 \u03ba\u03b1\u03c4\u03b1\u03bb\u03ae\u03be\u03b5\u03b9 \u03bc\u03b5 <strong>administrator<\/strong> \u03b4\u03b9\u03ba\u03b1\u03b9\u03ce\u03bc\u03b1\u03c4\u03b1. \u03a3\u03cd\u03bc\u03c6\u03c9\u03bd\u03b1 \u03bc\u03b5 \u03c4\u03b7\u03bd Patchstack, \u03c4\u03bf \u03ba\u03b5\u03bd\u03cc \u03cc\u03c7\u03b9 \u03bc\u03cc\u03bd\u03bf \u03b5\u03af\u03bd\u03b1\u03b9 \u03c0\u03c1\u03b1\u03b3\u03bc\u03b1\u03c4\u03b9\u03ba\u03cc, \u03b1\u03bb\u03bb\u03ac <strong>\u03b3\u03af\u03bd\u03b5\u03c4\u03b1\u03b9 \u03b5\u03bd\u03b5\u03c1\u03b3\u03ac exploited<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"900\" height=\"470\" src=\"https:\/\/helloblog.io\/app\/uploads\/sites\/12\/2026\/01\/wordpress-exploit.jpg\" alt=\"\u0395\u03b9\u03ba\u03bf\u03bd\u03bf\u03b3\u03c1\u03ac\u03c6\u03b7\u03c3\u03b7 \u03b3\u03b9\u03b1 exploit \u03c3\u03b5 WordPress plugin\" class=\"wp-image-94\" srcset=\"https:\/\/helloblog.io\/app\/uploads\/sites\/12\/2026\/01\/wordpress-exploit.jpg 900w, https:\/\/helloblog.io\/app\/uploads\/sites\/12\/2026\/01\/wordpress-exploit-300x157.jpg 300w, https:\/\/helloblog.io\/app\/uploads\/sites\/12\/2026\/01\/wordpress-exploit-768x401.jpg 768w, https:\/\/helloblog.io\/app\/uploads\/sites\/12\/2026\/01\/wordpress-exploit-400x209.jpg 400w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\" \/><figcaption class=\"wp-element-caption\">\u0397 \u03b5\u03c5\u03c0\u03ac\u03b8\u03b5\u03b9\u03b1 \u03b1\u03c6\u03bf\u03c1\u03ac routes \u03ba\u03ac\u03c4\u03c9 \u03b1\u03c0\u03cc \u03c4\u03bf \/api\/modular-connector\/ \u03ba\u03b1\u03b9 \u03bc\u03c0\u03bf\u03c1\u03b5\u03af \u03bd\u03b1 \u03bf\u03b4\u03b7\u03b3\u03ae\u03c3\u03b5\u03b9 \u03c3\u03b5 admin takeover. \u2014 <em>Forr\u00e1s: The Hacker News<\/em><\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">\u03a4\u03b9 \u03b1\u03ba\u03c1\u03b9\u03b2\u03ce\u03c2 \u03b5\u03af\u03bd\u03b1\u03b9 \u03c4\u03bf \u03c0\u03c1\u03cc\u03b2\u03bb\u03b7\u03bc\u03b1<\/h2>\n\n\n\n<p>\u0397 Patchstack \u03c0\u03b5\u03c1\u03b9\u03b3\u03c1\u03ac\u03c6\u03b5\u03b9 \u03c4\u03b7\u03bd \u03b5\u03c5\u03c0\u03ac\u03b8\u03b5\u03b9\u03b1 \u03c9\u03c2 <strong>unauthenticated privilege escalation<\/strong> \u03c0\u03bf\u03c5 \u03b5\u03c0\u03b7\u03c1\u03b5\u03ac\u03b6\u03b5\u03b9 <strong>\u03cc\u03bb\u03b5\u03c2 \u03c4\u03b9\u03c2 \u03b5\u03ba\u03b4\u03cc\u03c3\u03b5\u03b9\u03c2 \u03ad\u03c9\u03c2 \u03ba\u03b1\u03b9 \u03c4\u03b7\u03bd 2.5.1<\/strong>. \u03a4\u03bf fix \u03b4\u03b9\u03b1\u03c4\u03af\u03b8\u03b5\u03c4\u03b1\u03b9 \u03c3\u03c4\u03b7 <strong>2.5.2<\/strong> (security release \u03b1\u03c0\u03cc \u03c4\u03bf\u03c5\u03c2 maintainers).<\/p>\n\n\n\n<p>\u0397 \u03c1\u03af\u03b6\u03b1 \u03c4\u03bf\u03c5 \u03c0\u03c1\u03bf\u03b2\u03bb\u03ae\u03bc\u03b1\u03c4\u03bf\u03c2 \u03b2\u03c1\u03af\u03c3\u03ba\u03b5\u03c4\u03b1\u03b9 \u03c3\u03c4\u03bf\u03bd \u03bc\u03b7\u03c7\u03b1\u03bd\u03b9\u03c3\u03bc\u03cc routing \u03c4\u03bf\u03c5 plugin. \u03a4\u03bf Modular DS \u03b5\u03ba\u03b8\u03ad\u03c4\u03b5\u03b9 endpoints \u03ba\u03ac\u03c4\u03c9 \u03b1\u03c0\u03cc \u03c4\u03bf prefix <strong><code>\/api\/modular-connector\/<\/code><\/strong> \u03ba\u03b1\u03b9 \u03b8\u03b5\u03c9\u03c1\u03b7\u03c4\u03b9\u03ba\u03ac \u00ab\u03ba\u03bb\u03b5\u03b9\u03b4\u03ce\u03bd\u03b5\u03b9\u00bb \u03bf\u03c1\u03b9\u03c3\u03bc\u03ad\u03bd\u03b1 \u03b5\u03c5\u03b1\u03af\u03c3\u03b8\u03b7\u03c4\u03b1 routes \u03c0\u03af\u03c3\u03c9 \u03b1\u03c0\u03cc authentication. \u03a3\u03c4\u03b7\u03bd \u03c0\u03c1\u03ac\u03be\u03b7, \u03cc\u03bc\u03c9\u03c2, \u03c5\u03c0\u03ac\u03c1\u03c7\u03b5\u03b9 \u03c4\u03c1\u03cc\u03c0\u03bf\u03c2 \u03bd\u03b1 \u03c0\u03b1\u03c1\u03b1\u03ba\u03b1\u03bc\u03c6\u03b8\u03b5\u03af \u03c4\u03bf authentication middleware \u03cc\u03c4\u03b1\u03bd \u03b5\u03bd\u03b5\u03c1\u03b3\u03bf\u03c0\u03bf\u03b9\u03b7\u03b8\u03b5\u03af \u03b7 \u03bb\u03bf\u03b3\u03b9\u03ba\u03ae \u03c4\u03bf\u03c5 <strong>\u201cdirect request\u201d mode<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u03a0\u03ce\u03c2 \u03b3\u03af\u03bd\u03b5\u03c4\u03b1\u03b9 \u03c4\u03bf bypass (\u03c3\u03b5 \u03c5\u03c8\u03b7\u03bb\u03cc \u03b5\u03c0\u03af\u03c0\u03b5\u03b4\u03bf)<\/h2>\n\n\n\n<p>\u03a4\u03bf bypass \u03b5\u03c0\u03b9\u03c4\u03c5\u03b3\u03c7\u03ac\u03bd\u03b5\u03c4\u03b1\u03b9 \u03bc\u03b5 crafted request \u03c0\u03bf\u03c5 \u03b4\u03b7\u03bb\u03ce\u03bd\u03b5\u03b9 \u03c0\u03c9\u03c2 \u03c0\u03c1\u03cc\u03ba\u03b5\u03b9\u03c4\u03b1\u03b9 \u03b3\u03b9\u03b1 \u201cModular direct request\u201d. \u03a3\u03cd\u03bc\u03c6\u03c9\u03bd\u03b1 \u03bc\u03b5 \u03c4\u03b7\u03bd \u03b1\u03bd\u03ac\u03bb\u03c5\u03c3\u03b7, \u03b1\u03c1\u03ba\u03b5\u03af \u03bd\u03b1 \u03c3\u03c4\u03b1\u03bb\u03b5\u03af <strong><code>origin=mo<\/code><\/strong> \u03ba\u03b1\u03b9 \u03ad\u03bd\u03b1 <strong><code>type<\/code><\/strong> \u03bc\u03b5 \u03bf\u03c0\u03bf\u03b9\u03b1\u03b4\u03ae\u03c0\u03bf\u03c4\u03b5 \u03c4\u03b9\u03bc\u03ae (\u03c0.\u03c7. <code>origin=mo&type=xxx<\/code>). \u0391\u03c5\u03c4\u03cc \u03ba\u03ac\u03bd\u03b5\u03b9 \u03c4\u03bf request \u03bd\u03b1 \u03b1\u03bd\u03c4\u03b9\u03bc\u03b5\u03c4\u03c9\u03c0\u03b9\u03c3\u03c4\u03b5\u03af \u03c9\u03c2 direct request \u03ba\u03b1\u03b9 \u03bd\u03b1 \u03c0\u03b5\u03c1\u03ac\u03c3\u03b5\u03b9 \u03b1\u03c0\u03cc \u03c4\u03bf auth layer, \u03c7\u03c9\u03c1\u03af\u03c2 \u03bd\u03b1 \u03c5\u03c0\u03ac\u03c1\u03c7\u03b5\u03b9 (\u03cc\u03c0\u03c9\u03c2 \u03b1\u03bd\u03b1\u03c6\u03ad\u03c1\u03b5\u03c4\u03b1\u03b9) \u03ad\u03bd\u03b1\u03c2 \u03b1\u03c3\u03c6\u03b1\u03bb\u03ae\u03c2\/\u03ba\u03c1\u03c5\u03c0\u03c4\u03bf\u03b3\u03c1\u03b1\u03c6\u03b9\u03ba\u03cc\u03c2 \u03b4\u03b5\u03c3\u03bc\u03cc\u03c2 \u03c0\u03bf\u03c5 \u03bd\u03b1 \u03b1\u03c0\u03bf\u03b4\u03b5\u03b9\u03ba\u03bd\u03cd\u03b5\u03b9 \u03cc\u03c4\u03b9 \u03c4\u03bf \u03b1\u03af\u03c4\u03b7\u03bc\u03b1 \u03c0\u03c1\u03bf\u03ad\u03c1\u03c7\u03b5\u03c4\u03b1\u03b9 \u03cc\u03bd\u03c4\u03c9\u03c2 \u03b1\u03c0\u03cc \u03c4\u03b7 Modular.<\/p>\n\n\n\n<div class=\"wp-block-group callout callout-warning is-style-warning is-layout-flow wp-block-group-is-layout-flow\" style=\"border-width:1px;border-radius:8px;padding-top:1rem;padding-right:1.5rem;padding-bottom:1rem;padding-left:1.5rem\">\n\n<h4 class=\"wp-block-heading callout-title\">\u03a3\u03b7\u03bc\u03b1\u03bd\u03c4\u03b9\u03ba\u03ae \u03c0\u03c1\u03bf\u03cb\u03c0\u03cc\u03b8\u03b5\u03c3\u03b7<\/h4>\n\n\n<p>\u03a4\u03bf \u03c3\u03b5\u03bd\u03ac\u03c1\u03b9\u03bf \u03c0\u03bf\u03c5 \u03c0\u03b5\u03c1\u03b9\u03b3\u03c1\u03ac\u03c6\u03b5\u03c4\u03b1\u03b9 \u03bb\u03b5\u03b9\u03c4\u03bf\u03c5\u03c1\u03b3\u03b5\u03af \u03cc\u03c4\u03b1\u03bd \u03c4\u03bf site \u03b5\u03af\u03bd\u03b1\u03b9 \u03ae\u03b4\u03b7 \u00ab\u03c3\u03c5\u03bd\u03b4\u03b5\u03b4\u03b5\u03bc\u03ad\u03bd\u03bf\u00bb \u03bc\u03b5 \u03c4\u03b7 Modular (\u03c5\u03c0\u03ac\u03c1\u03c7\u03bf\u03c5\u03bd tokens \u03ba\u03b1\u03b9 \u03bc\u03c0\u03bf\u03c1\u03bf\u03cd\u03bd \u03bd\u03b1 \u03b1\u03bd\u03b1\u03bd\u03b5\u03c9\u03b8\u03bf\u03cd\u03bd). \u0394\u03b7\u03bb\u03b1\u03b4\u03ae, \u03b4\u03b5\u03bd \u03b5\u03af\u03bd\u03b1\u03b9 \u03ad\u03bd\u03b1 \u03c4\u03c5\u03c6\u03bb\u03cc exploit \u03b3\u03b9\u03b1 \u03ba\u03ac\u03b8\u03b5 \u03b5\u03b3\u03ba\u03b1\u03c4\u03ac\u03c3\u03c4\u03b1\u03c3\u03b7, \u03b1\u03bb\u03bb\u03ac \u03b5\u03af\u03bd\u03b1\u03b9 \u03b1\u03c1\u03ba\u03b5\u03c4\u03ac \u03b5\u03c0\u03b9\u03ba\u03af\u03bd\u03b4\u03c5\u03bd\u03bf \u03b3\u03b9\u03b1 production sites \u03c0\u03bf\u03c5 \u03cc\u03bd\u03c4\u03c9\u03c2 \u03c7\u03c1\u03b7\u03c3\u03b9\u03bc\u03bf\u03c0\u03bf\u03b9\u03bf\u03cd\u03bd \u03c4\u03b7 \u03c3\u03cd\u03bd\u03b4\u03b5\u03c3\u03b7.<\/p>\n\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\">\u03a0\u03bf\u03b9\u03b1 endpoints \u03b5\u03ba\u03c4\u03af\u03b8\u03b5\u03bd\u03c4\u03b1\u03b9 \u03ba\u03b1\u03b9 \u03b3\u03b9\u03b1\u03c4\u03af \u03b1\u03c5\u03c4\u03cc \u03bf\u03b4\u03b7\u03b3\u03b5\u03af \u03c3\u03b5 admin takeover<\/h2>\n\n\n\n<p>\u039c\u03b5 \u03c4\u03bf auth bypass \u03b5\u03ba\u03c4\u03af\u03b8\u03b5\u03bd\u03c4\u03b1\u03b9 routes \u03c0\u03bf\u03c5 \u03ba\u03b1\u03bd\u03bf\u03bd\u03b9\u03ba\u03ac \u03b8\u03b1 \u03ad\u03c0\u03c1\u03b5\u03c0\u03b5 \u03bd\u03b1 \u03b8\u03b5\u03c9\u03c1\u03bf\u03cd\u03bd\u03c4\u03b1\u03b9 \u03b5\u03c5\u03b1\u03af\u03c3\u03b8\u03b7\u03c4\u03b1. \u0397 Patchstack \u03b1\u03bd\u03b1\u03c6\u03ad\u03c1\u03b5\u03b9 \u03b5\u03bd\u03b4\u03b5\u03b9\u03ba\u03c4\u03b9\u03ba\u03ac \u03c4\u03b1: <strong><code>\/login\/<\/code><\/strong>, <strong><code>\/server-information\/<\/code><\/strong>, <strong><code>\/manager\/<\/code><\/strong>, <strong><code>\/backup\/<\/code><\/strong>. \u0397 \u03ba\u03c1\u03af\u03c3\u03b9\u03bc\u03b7 \u03b1\u03bb\u03c5\u03c3\u03af\u03b4\u03b1 \u03b5\u03af\u03bd\u03b1\u03b9 \u03cc\u03c4\u03b9 \u03ad\u03bd\u03b1\u03c2 \u03b5\u03c0\u03b9\u03c4\u03b9\u03b8\u03ad\u03bc\u03b5\u03bd\u03bf\u03c2 \u03bc\u03c0\u03bf\u03c1\u03b5\u03af \u03bd\u03b1 \u03b5\u03ba\u03bc\u03b5\u03c4\u03b1\u03bb\u03bb\u03b5\u03c5\u03c4\u03b5\u03af \u03c4\u03bf route <strong><code>\/login\/{modular_request}<\/code><\/strong> \u03b3\u03b9\u03b1 \u03bd\u03b1 \u03ba\u03b1\u03c4\u03b1\u03bb\u03ae\u03be\u03b5\u03b9 \u03c3\u03b5 <strong>administrator \u03c0\u03c1\u03cc\u03c3\u03b2\u03b1\u03c3\u03b7<\/strong> (privilege escalation) \u03c7\u03c9\u03c1\u03af\u03c2 \u03c0\u03c1\u03bf\u03b7\u03b3\u03bf\u03cd\u03bc\u03b5\u03bd\u03bf login.<\/p>\n\n\n\n<p>\u0391\u03c0\u03cc \u03b5\u03ba\u03b5\u03af \u03ba\u03b1\u03b9 \u03c0\u03ad\u03c1\u03b1, \u03c4\u03bf \u03c1\u03af\u03c3\u03ba\u03bf \u03b5\u03af\u03bd\u03b1\u03b9 \u03c4\u03bf \u03ba\u03bb\u03b1\u03c3\u03b9\u03ba\u03cc \u201cfull site compromise\u201d: \u03b1\u03bb\u03bb\u03b1\u03b3\u03ad\u03c2 \u03c0\u03b5\u03c1\u03b9\u03b5\u03c7\u03bf\u03bc\u03ad\u03bd\u03bf\u03c5, \u03b5\u03b3\u03ba\u03b1\u03c4\u03ac\u03c3\u03c4\u03b1\u03c3\u03b7 \u03ba\u03b1\u03ba\u03cc\u03b2\u03bf\u03c5\u03bb\u03c9\u03bd plugins\/files, injection \u03c3\u03b5 theme files, \u03ae redirects \u03c7\u03c1\u03b7\u03c3\u03c4\u03ce\u03bd \u03c3\u03b5 scams.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u03a4\u03b9 \u03be\u03ad\u03c1\u03bf\u03c5\u03bc\u03b5 \u03b3\u03b9\u03b1 \u03c4\u03b7\u03bd \u03b5\u03ba\u03bc\u03b5\u03c4\u03ac\u03bb\u03bb\u03b5\u03c5\u03c3\u03b7 (in the wild)<\/h2>\n\n\n\n<p>\u0397 Patchstack \u03b1\u03bd\u03b1\u03c6\u03ad\u03c1\u03b5\u03b9 \u03cc\u03c4\u03b9 \u03bf\u03b9 \u03c0\u03c1\u03ce\u03c4\u03b5\u03c2 \u03b5\u03c0\u03b9\u03b8\u03ad\u03c3\u03b5\u03b9\u03c2 \u03c0\u03b1\u03c1\u03b1\u03c4\u03b7\u03c1\u03ae\u03b8\u03b7\u03ba\u03b1\u03bd <strong>\u03c3\u03c4\u03b9\u03c2 13 \u0399\u03b1\u03bd\u03bf\u03c5\u03b1\u03c1\u03af\u03bf\u03c5 2026<\/strong> \u03c0\u03b5\u03c1\u03af\u03c0\u03bf\u03c5 <strong>\u03c3\u03c4\u03b9\u03c2 02:00 UTC<\/strong>. \u03a4\u03bf \u03bc\u03bf\u03c4\u03af\u03b2\u03bf \u03c0\u03bf\u03c5 \u03c0\u03b5\u03c1\u03b9\u03b3\u03c1\u03ac\u03c6\u03b5\u03c4\u03b1\u03b9 \u03c0\u03b5\u03c1\u03b9\u03bb\u03b1\u03bc\u03b2\u03ac\u03bd\u03b5\u03b9 HTTP GET \u03ba\u03bb\u03ae\u03c3\u03b5\u03b9\u03c2 \u03c0\u03c1\u03bf\u03c2 \u03c4\u03bf <strong><code>\/api\/modular-connector\/login\/<\/code><\/strong> \u03ba\u03b1\u03b9 \u03c3\u03c4\u03b7 \u03c3\u03c5\u03bd\u03ad\u03c7\u03b5\u03b9\u03b1 \u03c0\u03c1\u03bf\u03c3\u03c0\u03ac\u03b8\u03b5\u03b9\u03b5\u03c2 \u03b3\u03b9\u03b1 <strong>\u03b4\u03b7\u03bc\u03b9\u03bf\u03c5\u03c1\u03b3\u03af\u03b1 admin \u03c7\u03c1\u03ae\u03c3\u03c4\u03b7<\/strong>.<\/p>\n\n\n\n<p>\u03a9\u03c2 \u03c0\u03b7\u03b3\u03ad\u03c2 \u03c4\u03c9\u03bd \u03b5\u03c0\u03b9\u03b8\u03ad\u03c3\u03b5\u03c9\u03bd \u03b1\u03bd\u03b1\u03c6\u03ad\u03c1\u03bf\u03bd\u03c4\u03b1\u03b9 (\u03c4\u03bf\u03c5\u03bb\u03ac\u03c7\u03b9\u03c3\u03c4\u03bf\u03bd) \u03bf\u03b9 \u03c0\u03b1\u03c1\u03b1\u03ba\u03ac\u03c4\u03c9 IP \u03b4\u03b9\u03b5\u03c5\u03b8\u03cd\u03bd\u03c3\u03b5\u03b9\u03c2:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>45.11.89[.]19<\/li>\n\n\n<li>185.196.0[.]11<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u0386\u03bc\u03b5\u03c3\u03b5\u03c2 \u03b5\u03bd\u03ad\u03c1\u03b3\u03b5\u03b9\u03b5\u03c2 \u03b3\u03b9\u03b1 owners\/devs<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n\n<li>\u039a\u03ac\u03bd\u03b5 update \u03c4\u03bf Modular DS \u03c3\u03c4\u03b7 \u03b4\u03b9\u03bf\u03c1\u03b8\u03c9\u03bc\u03ad\u03bd\u03b7 \u03ad\u03ba\u03b4\u03bf\u03c3\u03b7 <strong>2.5.2<\/strong> (security release).<\/li>\n\n\n<li>\u0388\u03bb\u03b5\u03b3\u03be\u03b5 \u03ac\u03bc\u03b5\u03c3\u03b1 \u03b3\u03b9\u03b1 \u03c3\u03b7\u03bc\u03ac\u03b4\u03b9\u03b1 compromise: \u03ac\u03b3\u03bd\u03c9\u03c3\u03c4\u03bf\u03b9\/\u03b1\u03c0\u03c1\u03cc\u03c3\u03bc\u03b5\u03bd\u03bf\u03b9 admin users, \u03c0\u03b5\u03c1\u03af\u03b5\u03c1\u03b3\u03b1 requests \u03c0\u03c1\u03bf\u03c2 \u03c4\u03bf <code>\/api\/modular-connector\/<\/code>, \u03ba\u03b1\u03b9 \u03b3\u03b5\u03bd\u03b9\u03ba\u03ac \u03c3\u03c5\u03bc\u03c0\u03b5\u03c1\u03b9\u03c6\u03bf\u03c1\u03ad\u03c2 automated scanners.<\/li>\n\n\n<li>\u0391\u03bd \u03b4\u03b5\u03b9\u03c2 \u03b5\u03bd\u03b4\u03b5\u03af\u03be\u03b5\u03b9\u03c2 \u03c0\u03b1\u03c1\u03b1\u03b2\u03af\u03b1\u03c3\u03b7\u03c2, \u03b1\u03ba\u03bf\u03bb\u03bf\u03cd\u03b8\u03b7\u03c3\u03b5 \u03c4\u03b1 hardening\/cleanup \u03b2\u03ae\u03bc\u03b1\u03c4\u03b1 \u03c0\u03bf\u03c5 \u03c0\u03c1\u03bf\u03c4\u03b5\u03af\u03bd\u03bf\u03c5\u03bd \u03bf\u03b9 \u03b5\u03bc\u03c0\u03bb\u03b5\u03ba\u03cc\u03bc\u03b5\u03bd\u03bf\u03b9: \u03b1\u03bd\u03b1\u03bd\u03ad\u03c9\u03c3\u03b7 WordPress salts, \u03b1\u03bd\u03b1\u03bd\u03ad\u03c9\u03c3\u03b7 OAuth credentials \u03ba\u03b1\u03b9 \u03ad\u03bb\u03b5\u03b3\u03c7\u03bf\u03c2 \u03b3\u03b9\u03b1 \u03ba\u03b1\u03ba\u03cc\u03b2\u03bf\u03c5\u03bb\u03b1 plugins\/\u03b1\u03c1\u03c7\u03b5\u03af\u03b1\/\u03ba\u03ce\u03b4\u03b9\u03ba\u03b1.<\/li>\n\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\">\u03a0\u03c1\u03b1\u03ba\u03c4\u03b9\u03ba\u03cc\u03c2 \u03ad\u03bb\u03b5\u03b3\u03c7\u03bf\u03c2: \u03c4\u03b9 \u03bd\u03b1 \u03c8\u03ac\u03be\u03b5\u03b9\u03c2 \u03b3\u03c1\u03ae\u03b3\u03bf\u03c1\u03b1<\/h2>\n\n\n\n<p>\u03a7\u03c9\u03c1\u03af\u03c2 \u03bd\u03b1 \u03bc\u03c0\u03bf\u03cd\u03bc\u03b5 \u03c3\u03b5 \u03c5\u03c0\u03b5\u03c1\u03b2\u03bf\u03bb\u03b9\u03ba\u03ac forensics-heavy \u03b4\u03b9\u03b1\u03b4\u03b9\u03ba\u03b1\u03c3\u03af\u03b1, \u03c5\u03c0\u03ac\u03c1\u03c7\u03bf\u03c5\u03bd 2-3 \u03b3\u03c1\u03ae\u03b3\u03bf\u03c1\u03b1 checks \u03c0\u03bf\u03c5 \u03b1\u03be\u03af\u03b6\u03bf\u03c5\u03bd:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n\n<li>\u03a3\u03c4\u03b7 \u03bb\u03af\u03c3\u03c4\u03b1 \u03c7\u03c1\u03b7\u03c3\u03c4\u03ce\u03bd: \u03bd\u03ad\u03bf\u03b9 \u03bb\u03bf\u03b3\u03b1\u03c1\u03b9\u03b1\u03c3\u03bc\u03bf\u03af \u03bc\u03b5 \u03c1\u03cc\u03bb\u03bf Administrator \u03c0\u03bf\u03c5 \u03b4\u03b5\u03bd \u03b1\u03bd\u03c4\u03b9\u03c3\u03c4\u03bf\u03b9\u03c7\u03bf\u03cd\u03bd \u03c3\u03b5 \u03c0\u03c1\u03b1\u03b3\u03bc\u03b1\u03c4\u03b9\u03ba\u03cc \u03ac\u03c4\u03bf\u03bc\u03bf\/\u03c1\u03bf\u03ae.<\/li>\n\n\n<li>\u03a3\u03c4\u03b1 access logs\/WAF logs: \u03b1\u03b9\u03c4\u03ae\u03bc\u03b1\u03c4\u03b1 \u03c0\u03c1\u03bf\u03c2 <code>\/api\/modular-connector\/login\/<\/code> \u03ba\u03b1\u03b9 \u03b3\u03b5\u03bd\u03b9\u03ba\u03ac \u03b1\u03c3\u03c5\u03bd\u03ae\u03b8\u03b9\u03c3\u03c4\u03b7 \u03b4\u03c1\u03b1\u03c3\u03c4\u03b7\u03c1\u03b9\u03cc\u03c4\u03b7\u03c4\u03b1 \u03ba\u03ac\u03c4\u03c9 \u03b1\u03c0\u03cc <code>\/api\/modular-connector\/<\/code>.<\/li>\n\n\n<li>\u03a3\u03c4\u03bf filesystem: \u03c0\u03c1\u03cc\u03c3\u03c6\u03b1\u03c4\u03b5\u03c2 \u03b1\u03bb\u03bb\u03b1\u03b3\u03ad\u03c2 \u03c3\u03b5 plugin\/theme \u03b1\u03c1\u03c7\u03b5\u03af\u03b1 \u03ae \u03cd\u03c0\u03bf\u03c0\u03c4\u03b1 \u03bd\u03ad\u03b1 PHP \u03b1\u03c1\u03c7\u03b5\u03af\u03b1.<\/li>\n\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">\u0393\u03b9\u03b1\u03c4\u03af \u03b1\u03c5\u03c4\u03ae \u03b7 \u03ba\u03b1\u03c4\u03b7\u03b3\u03bf\u03c1\u03af\u03b1 bugs \u03b5\u03af\u03bd\u03b1\u03b9 \u03cd\u03c0\u03bf\u03c5\u03bb\u03b7<\/h2>\n\n\n\n<p>\u0391\u03c5\u03c4\u03cc \u03c4\u03bf \u03c0\u03b5\u03c1\u03b9\u03c3\u03c4\u03b1\u03c4\u03b9\u03ba\u03cc \u03b5\u03af\u03bd\u03b1\u03b9 \u03ba\u03b1\u03bb\u03cc \u03c0\u03b1\u03c1\u03ac\u03b4\u03b5\u03b9\u03b3\u03bc\u03b1 \u03c4\u03bf\u03c5 \u03c0\u03cc\u03c3\u03bf \u03b5\u03c0\u03b9\u03ba\u03af\u03bd\u03b4\u03c5\u03bd\u03b7 \u03b5\u03af\u03bd\u03b1\u03b9 \u03b7 \u00ab\u03c3\u03b9\u03c9\u03c0\u03b7\u03bb\u03ae \u03b5\u03bc\u03c0\u03b9\u03c3\u03c4\u03bf\u03c3\u03cd\u03bd\u03b7\u00bb \u03c3\u03b5 \u03b5\u03c3\u03c9\u03c4\u03b5\u03c1\u03b9\u03ba\u03ad\u03c2 \u03b4\u03b9\u03b1\u03b4\u03c1\u03bf\u03bc\u03ad\u03c2 (internal request paths) \u03cc\u03c4\u03b1\u03bd \u03c4\u03b5\u03bb\u03b9\u03ba\u03ac \u03b5\u03ba\u03c4\u03af\u03b8\u03b5\u03bd\u03c4\u03b1\u03b9 \u03c3\u03c4\u03bf public internet. \u0397 Patchstack \u03c4\u03bf \u03b1\u03c0\u03bf\u03b4\u03af\u03b4\u03b5\u03b9 \u03c3\u03b5 \u03c3\u03c5\u03bd\u03b4\u03c5\u03b1\u03c3\u03bc\u03cc \u03b5\u03c0\u03b9\u03bb\u03bf\u03b3\u03ce\u03bd \u03c3\u03c7\u03b5\u03b4\u03af\u03b1\u03c3\u03b7\u03c2: URL-based route matching, permissive direct-request mode, authentication \u03c0\u03bf\u03c5 \u03b2\u03b1\u03c3\u03af\u03b6\u03b5\u03c4\u03b1\u03b9 \u03bc\u03cc\u03bd\u03bf \u03c3\u03c4\u03bf \u03b1\u03bd \u03c4\u03bf site \u03b5\u03af\u03bd\u03b1\u03b9 \u03c3\u03c5\u03bd\u03b4\u03b5\u03b4\u03b5\u03bc\u03ad\u03bd\u03bf, \u03ba\u03b1\u03b9 login flow \u03c0\u03bf\u03c5 \u03bc\u03c0\u03bf\u03c1\u03b5\u03af \u03bd\u03b1 \u03ba\u03ac\u03bd\u03b5\u03b9 fallback \u03c3\u03b5 administrator.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>The route matching logic was overly permissive, allowing crafted requests to match protected endpoints without proper authentication validation.<\/p>\n<cite>Modular DS maintainers (\u03cc\u03c0\u03c9\u03c2 \u03b1\u03bd\u03b1\u03c6\u03ad\u03c1\u03b8\u03b7\u03ba\u03b5 \u03b1\u03c0\u03cc Patchstack)<\/cite><\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">\u03a3\u03c5\u03bc\u03c0\u03ad\u03c1\u03b1\u03c3\u03bc\u03b1<\/h2>\n\n\n\n<p>\u03a4\u03bf <strong>CVE-2026-23550<\/strong> \u03b4\u03b5\u03bd \u03b5\u03af\u03bd\u03b1\u03b9 \u03ad\u03bd\u03b1 \u00ab\u03b1\u03c0\u03bb\u03cc\u00bb bug. \u03a3\u03c5\u03bd\u03b4\u03c5\u03ac\u03b6\u03b5\u03b9 routing \u03ba\u03b1\u03b9 authentication assumptions \u03bc\u03b5 \u03c4\u03c1\u03cc\u03c0\u03bf \u03c0\u03bf\u03c5 \u03bf\u03b4\u03b7\u03b3\u03b5\u03af \u03c3\u03b5 <strong>admin takeover<\/strong>, \u03ba\u03b1\u03b9 \u03bc\u03ac\u03bb\u03b9\u03c3\u03c4\u03b1 \u03bc\u03b5 \u03b5\u03bd\u03b5\u03c1\u03b3\u03ae \u03b5\u03ba\u03bc\u03b5\u03c4\u03ac\u03bb\u03bb\u03b5\u03c5\u03c3\u03b7. \u0391\u03bd \u03c4\u03bf Modular DS \u03c5\u03c0\u03ac\u03c1\u03c7\u03b5\u03b9 \u03c3\u03c4\u03bf stack \u03c3\u03bf\u03c5, \u03b7 \u03c3\u03c9\u03c3\u03c4\u03ae \u03ba\u03af\u03bd\u03b7\u03c3\u03b7 \u03b5\u03af\u03bd\u03b1\u03b9 update \u03c3\u03c4\u03b7 <strong>2.5.2<\/strong> \u03ba\u03b1\u03b9 \u03b3\u03c1\u03ae\u03b3\u03bf\u03c1\u03bf\u03c2 \u03ad\u03bb\u03b5\u03b3\u03c7\u03bf\u03c2 \u03b3\u03b9\u03b1 \u03cd\u03c0\u03bf\u03c0\u03c4\u03b5\u03c2 \u03b1\u03bb\u03bb\u03b1\u03b3\u03ad\u03c2\/\u03c7\u03c1\u03ae\u03c3\u03c4\u03b5\u03c2.<\/p>\n\n\n<div class=\"references-section\">\n                <h2>\u0391\u03bd\u03b1\u03c6\u03bf\u03c1\u03ad\u03c2 \/ \u03a0\u03b7\u03b3\u03ad\u03c2<\/h2>\n                <ul class=\"references-list\"><li><a href=\"https:\/\/thehackernews.com\/2026\/01\/critical-wordpress-modular-ds-plugin.html\" target=\"_blank\" rel=\"noopener noreferrer\">Critical WordPress Modular DS Plugin Flaw Actively Exploited to Gain Admin Access<\/a><\/li><li><a href=\"https:\/\/patchstack.com\/articles\/critical-privilege-escalation-vulnerability-in-modular-ds-plugin-affecting-40k-sites-exploited-in-the-wild\/\" target=\"_blank\" rel=\"noopener noreferrer\">Critical privilege escalation vulnerability in Modular DS plugin affecting 40k sites exploited in the wild<\/a><\/li><li><a href=\"https:\/\/help.modulards.com\/en\/article\/modular-ds-security-release-modular-connector-252-dm3mv0\/\" target=\"_blank\" rel=\"noopener noreferrer\">Modular DS Security Release: Modular Connector 2.5.2<\/a><\/li><\/ul>\n            <\/div>","protected":false},"excerpt":{"rendered":"<p>\u0388\u03bd\u03b1 CVSS 10.0 \u03ba\u03b5\u03bd\u03cc \u03c3\u03c4\u03bf WordPress plugin Modular DS \u03b5\u03c0\u03b9\u03c4\u03c1\u03ad\u03c0\u03b5\u03b9 privilege escalation \u03c7\u03c9\u03c1\u03af\u03c2 \u03b1\u03c5\u03b8\u03b5\u03bd\u03c4\u03b9\u03ba\u03bf\u03c0\u03bf\u03af\u03b7\u03c3\u03b7 \u03bc\u03ad\u03c3\u03c9 \u03c4\u03bf\u03c5 \/api\/modular-connector\/. \u03a4\u03bf \u03b4\u03c5\u03c3\u03ac\u03c1\u03b5\u03c3\u03c4\u03bf: \u03c4\u03bf exploit \u03ad\u03c7\u03b5\u03b9 \u03ae\u03b4\u03b7 \u03c0\u03b1\u03c1\u03b1\u03c4\u03b7\u03c1\u03b7\u03b8\u03b5\u03af \u03c3\u03b5 \u03c0\u03c1\u03b1\u03b3\u03bc\u03b1\u03c4\u03b9\u03ba\u03ad\u03c2 \u03b5\u03c0\u03b9\u03b8\u03ad\u03c3\u03b5\u03b9\u03c2.<\/p>\n","protected":false},"author":66,"featured_media":93,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57],"tags":[63,64,65,12,10],"class_list":["post-95","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-57","tag-cve-2026-23550","tag-patch-management","tag-privilege-escalation","tag-vulnerability","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/posts\/95","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/users\/66"}],"replies":[{"embeddable":true,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/comments?post=95"}],"version-history":[{"count":1,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/posts\/95\/revisions"}],"predecessor-version":[{"id":134,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/posts\/95\/revisions\/134"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/media\/93"}],"wp:attachment":[{"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/media?parent=95"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/categories?post=95"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/helloblog.io\/el\/wp-json\/wp\/v2\/tags?post=95"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}