Exploitation was already spotted in the wild, with some intrusions leading to WordPress Admin sessions, before a fixed update was available to users.
Successful exploit grants Admin rights
The vulnerability lies in how Modular DS handles requests internally. The plugin exposes a set of REST-style routes under an “/api/modular-connector/” prefix that are supposed to be protected by authentication middleware. But due to an oversight in the route handling logic, specifically the isDirectRequest() mechanism, certain requests bypass authentication entirely when specific parameters are present.
This means an attacker who can reach the impacted endpoint can, in a single crafted request, cause the plugin to treat them as if they were a legitimate authenticated site connection. That, in turn, opens up access to sensitive routes, including /login/, granting instant admin privileges or the ability to enumerate site users and data without needing a password.
