Skip to main content
VortexMedia
WordPress Security
By The Vortex Media Team January 31, 2026

WordPress Plugin Security Roundup: January 2026

January opened with one of the most severe WordPress plugin disclosures in recent months: a CVSS 10.0 zero-day in the Modular DS plugin that was actively exploited in the wild starting January 13 — before most site owners had any warning. A second critical flaw in ACF Extended allowed unauthenticated attackers to register as administrators. Here is what was disclosed, what is patched, and what to do now.

Every month we review the WordPress plugin vulnerability disclosures from Patchstack and WPScan and summarize the ones that matter most: high install counts, exploitable without privileges, or actively weaponized in the wild. January 2026 had two that require immediate attention — both critical severity, both requiring no authentication whatsoever.

For context on the broader landscape: Patchstack reported 333 new WordPress plugin and theme vulnerabilities disclosed in the single week of January 7–13, 2026 alone. The two below are the ones that stood out from that volume because of active exploitation and severity scores at the top of the CVSS scale.

January 2026 at a Glance

CVE Plugin CVSS Type Auth Required Status
CVE-2026-23550 Modular DS 10.0 Critical Privilege Escalation None Patched — update to 2.5.2
CVE-2025-14533 ACF Extended 9.8 Critical Unauthenticated Role Escalation None Patched — update to 0.9.2.2

Both vulnerabilities are patched. If you are running either plugin, update immediately. If you were running a vulnerable version, check your user list for unauthorized administrator accounts before doing anything else.

CVE-2026-23550 — Modular DS (CVSS 10.0 Critical)

Affected versions: All versions up to and including 2.5.1
Fixed in: 2.5.2
Auth required to exploit: None — fully unauthenticated
Active exploitation confirmed: January 13, 2026

CVE-2026-23550 is a CVSS 10.0 — the maximum possible score — in the Modular DS plugin, which is active on over 40,000 WordPress sites. Exploitation was confirmed in the wild starting around 2 a.m. UTC on January 13, 2026, before the vulnerability was widely announced. The attack window between first exploitation and public disclosure was measured in hours.

The flaw is a chain of three weaknesses that, combined, allow a remote attacker with no credentials to gain full administrator access to any affected site:

  1. Direct route selection: The plugin exposes internal routing endpoints that should only be accessible to authenticated administrators. These endpoints are reachable by any unauthenticated HTTP request.
  2. Authentication bypass: The authentication check on those endpoints contains a logic error that allows it to be skipped entirely by crafting the request in a specific way.
  3. Automatic admin login: Once the endpoint is reached, the plugin's internal auto-login routine runs without verifying that a valid session exists, resulting in full administrator access for the attacker.

Successful exploitation gives an attacker the same level of access as the site owner — including the ability to install plugins, modify themes, create backdoor administrator accounts, and export all stored site data. Because exploitation was observed in the wild before patches were widely distributed, sites that were running an affected version should be treated as potentially compromised, not just vulnerable.

If you ran Modular DS 2.5.1 or earlier, the post-update steps are:

  • Update to 2.5.2 immediately
  • Go to Users → All Users in your WordPress admin and filter by Administrator role — look for accounts you did not create
  • Delete any unauthorized administrator accounts and rotate all remaining admin passwords
  • Check your plugins list for anything installed that you do not recognize
  • Review recent file modifications using your hosting control panel's file manager

CVE-2025-14533 — Advanced Custom Fields: Extended (CVSS 9.8 Critical)

Affected versions: All versions up to and including 0.9.2.1
Fixed in: 0.9.2.2
Auth required to exploit: None — fully unauthenticated
Install count: 100,000+ active installations

Advanced Custom Fields: Extended (ACF Extended) is a companion plugin to the widely used Advanced Custom Fields plugin, adding additional field types, a front-end forms system, and extended developer tools. The base plugin (ACF) is separate and is not affected by this vulnerability — only the ACF Extended add-on.

CVE-2025-14533 is an unauthenticated privilege escalation via the front-end registration form component. The vulnerability allows an attacker to supply an arbitrary role value — including administrator — in the registration request. The plugin does not validate whether the submitted role is permitted for self-registration; it accepts and applies it. A remote attacker with no prior access to the site can register an administrator account in a single request.

This category of vulnerability — allowing user-supplied role assignment during registration — is straightforward to exploit. No chaining of weaknesses is required, and no interaction with an existing user account is needed. Any publicly accessible site running ACF Extended through version 0.9.2.1 with any front-end registration form present is fully exposed.

After updating to 0.9.2.2:

  • Check Users → All Users for unfamiliar administrator accounts
  • If you do not use ACF Extended's front-end registration functionality, confirm that no public registration forms using this plugin are exposed on your site
  • Rotate admin passwords as a precaution if the site was publicly accessible during the vulnerability window

What to Do

  1. Check your plugin list. In WordPress admin, go to Plugins → Installed Plugins. Look for Modular DS and Advanced Custom Fields: Extended. Note the version numbers.
  2. Update immediately. Go to Dashboard → Updates and apply all available updates for these plugins. Verify the version number after the update completes.
  3. Audit your user list. For any site that was running a vulnerable version, check the administrator user list for accounts you do not recognize and remove them before doing anything else.

If you manage multiple WordPress sites, running this audit manually for each is time-consuming. Both Patchstack and WPScan offer free-tier email alerts when a vulnerability is disclosed for a plugin installed on a connected site.

Looking Ahead

The January disclosures reinforce a pattern that security researchers have been tracking for several years: the gap between vulnerability disclosure and active exploitation is shrinking. CVE-2026-23550 was exploited before most site owners could act. The most effective mitigation remains the same — keep plugins updated, monitor disclosure databases, and audit user accounts regularly.

We will publish the February 2026 roundup at the end of next month. In the meantime, the Patchstack database is updated daily and is free to search.

Related reading: How to Check if Your WordPress Plugins Have Security VulnerabilitiesManaged WordPress Hosting PlansWordPress Development Services