A critical unauthenticated privilege escalation vulnerability has been discovered in the Modular DS WordPress plugin, affecting over 40,000 sites. The flaw allows attackers to bypass authentication and gain admin access. Exploitation attempts have been observed in the wild, with attackers creating unauthorized admin accounts. The vulnerability stems from flawed route handling and authentication mechanisms. Patchstack has issued mitigation rules and assigned CVE-2026-23550. The plugin developer has released version 2.6.0 to address the issue. Users are urged to update immediately. Additional exploit paths were later discovered, leading to the assignment of CVE-2026-23800. The vulnerability highlights the dangers of implicit trust in internal request paths when exposed to the public internet.