{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23800", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.504Z", "datePublished": "2026-01-16T20:40:13.232Z", "dateUpdated": "2026-04-28T16:14:47.248Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "modular-connector", "product": "Modular DS", "versions": [{"changes": [{"at": "2.6.0", "status": "unaffected"}], "lessThan": "2.6.0", "status": "affected", "version": "2.5.2", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pikachu | Patchstack"}], "datePublic": "2026-01-16T20:38:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.<p>This issue affects Modular DS: from 2.5.2 before 2.6.0.</p>"}], "value": "Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.248Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update the WordPress Modular DS plugin to the latest available version (at least 2.6.0)."}], "value": "Update the WordPress Modular DS plugin to the latest available version (at least 2.6.0)."}], "source": {"discovery": "EXTERNAL"}, "tags": ["x_open-source", "x_known-exploited-vulnerability"], "timeline": [{"lang": "en", "time": "2026-01-16T14:05:00.000Z", "value": "A vulnerability was identified through log analysis, indicating signs of active exploitation."}, {"lang": "en", "time": "2026-01-16T14:20:00.000Z", "value": "Patchstack released a RapidMitigate virtual patch."}, {"lang": "en", "time": "2026-01-16T18:50:00.000Z", "value": "The vendor provided a patch to the Patchstack Threat Intelligence team for validation."}, {"lang": "en", "time": "2026-01-16T19:35:00.000Z", "value": "The vendor officially released the patch (version 2.6.0)."}], "title": "WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Patchstack RapidMitigate virtual patch.<br>"}], "value": "Patchstack RapidMitigate virtual patch."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T20:58:32.043629Z", "id": "CVE-2026-23800", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T21:08:46.900Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23800", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-16T20:58:32.043629Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T20:58:34.995Z"}}], "cna": {"tags": ["x_open-source", "x_known-exploited-vulnerability"], "title": "WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Pikachu | Patchstack"}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"product": "Modular DS", "versions": [{"status": "affected", "changes": [{"at": "2.6.0", "status": "unaffected"}], "version": "2.5.2", "lessThan": "2.6.0", "versionType": "custom"}], "packageName": "modular-connector", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-16T14:05:00.000Z", "value": "A vulnerability was identified through log analysis, indicating signs of active exploitation."}, {"lang": "en", "time": "2026-01-16T14:20:00.000Z", "value": "Patchstack released a RapidMitigate virtual patch."}, {"lang": "en", "time": "2026-01-16T18:50:00.000Z", "value": "The vendor provided a patch to the Patchstack Threat Intelligence team for validation."}, {"lang": "en", "time": "2026-01-16T19:35:00.000Z", "value": "The vendor officially released the patch (version 2.6.0)."}], "solutions": [{"lang": "en", "value": "Update the WordPress Modular DS plugin to the latest available version (at least 2.6.0).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress Modular DS plugin to the latest available version (at least 2.6.0).", "base64": false}]}], "datePublic": "2026-01-16T20:38:00.000Z", "references": [{"url": "https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "workarounds": [{"lang": "en", "value": "Patchstack RapidMitigate virtual patch.", "supportingMedia": [{"type": "text/html", "value": "Patchstack RapidMitigate virtual patch.<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.", "supportingMedia": [{"type": "text/html", "value": "Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.<p>This issue affects Modular DS: from 2.5.2 before 2.6.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "CWE-266 Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.248Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23800", "state": "PUBLISHED", "dateUpdated": "2026-04-28T16:14:47.248Z", "dateReserved": "2026-01-16T14:15:17.504Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-16T20:40:13.232Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0."}, {"lang": "es", "value": "Vulnerabilidad de Asignaci\u00f3n Incorrecta de Privilegios en Modular DS modular-connector permite la escalada de privilegios. Este problema afecta a Modular DS: desde 2.5.2 antes de 2.6.0."}], "id": "CVE-2026-23800", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-16T21:15:52.037", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T19:07:34.614537+00:00", "value": {"mitigation_remediation": ["Update the Modular DS plugin to version 2.6.0 or later", "Deploy the Patchstack RapidMitigate virtual patch to temporarily mitigate the vulnerability", "If feasible, disable or remove the Modular DS plugin for users with insufficient privileges, or uninstall it if it is not required"], "summary": {"action": "Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All WordPress sites that use Modular DS plugin version 2.5.2 or earlier up to but not including 2.6.0 are impacted. The plugin is commonly installed on public websites and managed via the WordPress admin interface.", "description_and_impact": "The Vulnerability is an Incorrect Privilege Assignment flaw in the Modular DS plugin, allowing an attacker to raise privileges beyond what is intended. This weakness, classified as CWE-266, can let a non\u2011privileged user acquire higher permissions, leading to unauthorized access to site data, configuration changes, or full control over the WordPress installation. The impact is direct compromise of confidentiality, integrity, and availability of the affected site.", "risk_and_exploitability": "The CVSS score of 10 indicates the highest severity. The EPSS score is less than 1%, suggesting that, although the flaw is severe, real\u2011world exploitation frequency is currently low or uncertain. The vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is through the normal WordPress administrative interface or any authenticated user interface that includes the plugin. An attacker would need to exploit the incorrect privilege assignment to elevate their role without further authentication escalation."}}}}, "created": "2026-01-19T09:19:48.237200+00:00", "updated": "2026-04-18T19:15:10.609919+00:00", "vendors": ["modular", "modular$PRODUCT$modular", "wordpress", "wordpress$PRODUCT$wordpress"]}