Critical vulnerability in this plugin -

I was using this on just a handful of sites the last year or so. I got an alert that an admin user had been created with an obvious fake email address.

After running through the logs I came across this:
Authentication bypass
03:05:38 45.11.89.19 302 GET /api/modular-connector/login/anything?origin=mo&type=foo
The attacker calls the vulnerable ModularDS endpoint. The 302 response is a redirect — but critically, this redirect includes a valid WordPress authentication cookie. No username or password required.

Admin access confirmed
03:05:38 45.11.89.19 200 GET /wp-admin/index.php
Same second. The attacker accesses the WordPress admin dashboard. The 200 response means success — they're now logged in as an administrator.

Navigating to user creation
03:05:39 45.11.89.19 200 GET /wp-admin/user-new.php
The attacker loads the "Add New User" page. This is an automated script.

Creating the malicious account
03:05:39 45.11.89.19 302 POST /wp-admin/user-new.php
The attacker submits the form to create a new admin account. The 302 redirect indicates the form was processed successfully.

Attack complete
03:05:40 45.11.89.19 200 GET /wp-admin/users.php?update=add&id=10
The attacker is redirected to the users list with update=add&id=10 in the URL. This confirms user ID 10 (the "admin5" account) was successfully created.

Total time from first request to full compromise: 2 seconds.

Attacker attempted to use the new account
About 2 minutes after the account was created, a different IP attempted to log in — likely to use the newly created admin5 credentials:
2026-01-14 03:07:34 Access 151.241.30.63 200 GET /wp-login.php HTTP/1.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1)
2026-01-14 03:07:35 Access 151.241.30.63 200 POST /wp-login.php HTTP/1.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1)

In my case, the attacker only had approximately 90 seconds of access before I responded. A Wordfence scan confirmed no malware or backdoors were installed. However, if this plugin has been on your site for a while, the attacker may have had more time to cause damage.
The vulnerability appears to be an authentication bypass, which is as serious as it gets. Any site with this plugin installed should be considered potentially compromised.