CVE-2026-23800

Critical

Published: 16 January 2026

Published

16 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0002 6.4th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23800 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 6.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by updating the Modular DS plugin to version 2.6.0 or later to fix the incorrect privilege assignment.

AC-6 Least Privilege good match

prevent

AC-6 enforces the principle of least privilege, preventing privilege escalation by ensuring only minimal authorized accesses are granted in the WordPress environment.

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved access authorizations, countering the vulnerability's improper privilege assignment that allows unauthenticated escalation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct remote unauthenticated privilege escalation via incorrect privilege assignment in public-facing WordPress plugin component.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.

Deeper analysisAI

CVE-2026-23800 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Modular DS modular-connector component of the Modular DS WordPress plugin, enabling privilege escalation. This issue affects Modular DS versions from 2.5.2 before 2.6.0. The vulnerability was published on 2026-01-16 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

An unauthenticated remote attacker can exploit this vulnerability over the network to escalate privileges within the affected WordPress environment. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, with a scope change that extends control beyond the vulnerable component, potentially leading to full site compromise.

The Patchstack advisory recommends updating the Modular DS plugin to version 2.6.0 or later to mitigate the vulnerability.

Details

CWE(s): CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266

CVE-2025-44655Shared CWE-266

CVE-2026-27051Shared CWE-266

CVE-2026-32519Shared CWE-266

CVE-2026-32488Shared CWE-266

CVE-2026-32916Shared CWE-266

CVE-2025-68869Shared CWE-266

CVE-2024-56000Shared CWE-266

CVE-2026-23550Shared CWE-266

CVE-2026-24968Shared CWE-266

References

https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com