Cyber Resilience

CVE-2026-23800

Critical

Published: 16 January 2026

Published
16 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0047 37.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23800 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-23800 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the Modular DS modular-connector component of the Modular DS WordPress plugin, enabling privilege escalation. This issue affects Modular DS versions from 2.5.2 before 2.6.0. The vulnerability was published on 2026-01-16 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), marking it as critical due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.

An unauthenticated remote attacker can exploit this vulnerability over the network to escalate privileges within the affected WordPress environment. Successful exploitation grants high-impact access to confidentiality, integrity, and availability, with a scope change that extends control beyond the vulnerable component, potentially leading to full site compromise.

The Patchstack advisory recommends updating the Modular DS plugin to version 2.6.0 or later to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Incorrect Privilege Assignment vulnerability in Modular DS modular-connector allows Privilege Escalation.This issue affects Modular DS: from 2.5.2 before 2.6.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated privilege escalation via incorrect privilege assignment in public-facing WordPress plugin component.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27983Shared CWE-266
CVE-2024-13421Shared CWE-266
CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2026-32488Shared CWE-266
CVE-2026-24968Shared CWE-266
CVE-2025-67953Shared CWE-266
CVE-2026-24373Shared CWE-266
CVE-2025-68027Shared CWE-266
CVE-2025-49388Shared CWE-266

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by updating the Modular DS plugin to version 2.6.0 or later to fix the incorrect privilege assignment.

prevent

AC-6 enforces the principle of least privilege, preventing privilege escalation by ensuring only minimal authorized accesses are granted in the WordPress environment.

prevent

AC-3 mandates enforcement of approved access authorizations, countering the vulnerability's improper privilege assignment that allows unauthenticated escalation.

References