What the vulnerability does
01Description
The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. This is due to missing nonce validation on the postConfirmOauth() function. This makes it possible for unauthenticated attackers to disconnect the plugin's OAuth/SSO connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Explanation of Vulnerability in Simple Terms
02Summary
Modular DS versions up to 2.5.1 contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user. The vulnerability requires the victim to visit a malicious webpage while logged into Modular DS. An attacker can modify site settings or trigger unintended operations, but cannot access sensitive data.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions on a site by tricking a logged-in user into visiting a malicious webpage.
Potential impact on your site
04Site Impact
An attacker can change settings or trigger actions in Modular DS without your knowledge if you visit a malicious link while logged in.
Conditions required to exploit
05Prerequisites
Victim must be logged into Modular DS and click a malicious link or visit an attacker-controlled page.
Key dates
06Disclosure timeline
March 11, 2026
CVE published
April 8, 2026
Record updated
