Unauthenticated Privilege Escalation in Modular DS WordPress Plugin

This repository is a small standalone Bash proof-of-concept exploit for CVE-2026-23550, targeting the WordPress Modular Connector plugin (claimed vulnerable through version 2.5.1). The repository contains two files: a single executable Bash script, CVE-2026-23550.sh, and a README describing the issue and usage. The exploit is not part of a larger framework. The script’s purpose is to perform an unauthenticated authentication bypass against a WordPress REST endpoint. It sends a POST request to the target URL at /?rest_route=/api/modular-connector/login with Content-Type: application/json and body {"origin":"mo"}. If the target responds by issuing a wordpress_logged_in_* cookie, the script treats the target as vulnerable. It then reuses that cookie to request /wp-admin/ and checks the response for dashboard-related strings to confirm administrative access. Main capabilities: - Accepts a target base URL as a command-line argument, defaulting to http://localhost:8080. - Sends the crafted bypass request to the vulnerable REST route. - Stores returned cookies in cookies.txt. - Detects successful exploitation by checking for a WordPress authenticated session cookie. - Verifies likely admin access by requesting /wp-admin/ with the captured cookie. - Deletes the temporary cookie jar after execution. Operationally, this is more than a pure detector because it actively attempts to obtain and use an authenticated admin session. However, the payload is fixed and simple, so OPERATIONAL is the best fit rather than WEAPONIZED. No destructive behavior, persistence, lateral movement, or post-exploitation automation is present.

Repository contains an operational unauthenticated admin-takeover exploit for CVE-2026-23550 affecting the WordPress Modular DS (modular-connector) plugin <= 2.5.1. Structure: - CVE-2026-23550.sh: Main bash exploit tool (obfuscated via base64+eval) implementing: dependency checks, optional Google dork display, WordPress user enumeration via /?author=N redirect parsing, and an exploit routine that targets the Modular DS API to obtain an admin session cookie; flags indicate optional creation of a new admin user with provided username/password. - CVE-2026-23550.yaml: Nuclei-style HTTP check template that fingerprints the plugin (body contains /plugins/modular-connector/) and tests the bypass by requesting the login endpoint with origin=mo&type=foo; success is inferred from HTTP 302 and presence of a wordpress_logged_in cookie in headers. - README.md: Explains root cause: flawed isDirectRequest() logic treats requests with origin=mo and any type parameter as trusted, bypassing auth middleware; login route falls back to any admin user if no user ID is provided, issuing admin cookies and redirecting to wp-admin. Capabilities/impact: - Remote, unauthenticated exploitation over HTTP(S). - Admin session takeover by forcing the plugin’s remote-login flow to issue WordPress admin cookies. - Additional post-bypass access to multiple sensitive plugin routes (server info, backups, management, cache clear, WooCommerce stats) as documented. Notable observables: - Requests to /api/modular-connector/login/* with query origin=mo&type=... and resulting 302 redirect plus wordpress_logged_in cookie. - Enumeration traffic to /?author=1..10. No hardcoded C2 infrastructure was observed; endpoints are target-relative and user-supplied via the target URL argument.

Repository contains a single Python mass-exploitation script plus a banner and a sample URL list placeholder. Structure: - CVE-2026-23550.py: Main threaded scanner/exploiter. - Baner.txt: ASCII art banner displayed at startup. - url.txt: Placeholder text ('list url'); user is expected to provide a file containing target URLs. Exploit purpose and flow: 1) Reads targets from a user-supplied file; normalizes each target to include a scheme (defaults to http://). 2) For each target (multi-threaded), creates a requests.Session and POSTs to WordPress admin-ajax endpoint /wp-admin/admin-ajax.php with parameters action=modular_ds_update_privileged_action, role=administrator, verify=true. This is presented as a privilege escalation step but the script does not validate success beyond proceeding. 3) Attempts to upload two files to /wp-content/plugins/modular-ds/uploader.php: a PHP file named p_shell.php containing only an echo marker, and a TXT file v_marker.txt containing a verification marker. 4) Verifies exploitation by GET requesting the expected uploaded paths under /wp-content/plugins/modular-ds/ and checking for marker strings in responses. 5) On success, prints 'Shell Uploaded!' and logs the base URL to VLUN.txt and the PHP payload URL to VLUN_Sh.txt. Capabilities: - Network-based mass targeting with configurable thread count. - Attempts a WordPress plugin-specific privilege escalation via admin-ajax action. - Attempts unauthenticated/weakly authenticated arbitrary file upload into a web-accessible plugin directory. - Post-upload verification and local result logging. Notes: - Despite the 'shell' naming, the PHP payload is not an interactive webshell or RCE primitive; it only prints a marker string. The real impact depends on whether the upload endpoint allows arbitrary PHP upload and execution; if so, the payload could be trivially replaced with a true webshell by an operator.