A nightmare scenario is currently unfolding for tens of thousands of website owners. A popular WordPress plugin known as Modular DS, which is installed on more than 40,000 active websites, has been found to have a “perfect storm” of security errors. This isn’t just a minor glitch; security experts have given it a maximum severity rating because it allows total strangers to walk right into a website’s dashboard with full administrative powers. Even worse, hackers have already discovered the secret entrance and are actively breaking into sites as we speak.

The Simple Trick Hackers Use to Take Over

The vulnerability, officially labeled as CVE-2026-23550, is a classic example of a “privilege escalation” flaw. In plain English, this means someone with zero permissions can suddenly promote themselves to the highest level of authority on a site. The problem lies in how the plugin handles requests from the outside world. Modular DS creates a special pathway for the plugin’s developers to communicate with your site, but the “lock” on that door was essentially left wide open.

Security researchers at Patchstack discovered that the plugin’s internal routing system can be easily tricked. By simply adding a specific phrase—”origin=mo”—to the end of a web address, a hacker can tell the website that they are a trusted part of the Modular system. Because the plugin doesn’t use strong digital signatures to verify who is actually sending the message, it simply takes the hacker’s word for it. Once the site thinks the request is legitimate, it bypasses all the usual login screens and passwords.

How the Attackers “Gained” Entry

The researchers realized that because GitHub assigns user IDs in a predictable, numerical order, they could essentially “guess” their way into the system. By repeatedly creating new “bot” accounts on GitHub, they could wait until they were assigned an ID number that happened to include a trusted AWS ID within it. Wiz estimated that a new “matching” ID would appear naturally about every five days.

Once the researchers had an account with a “matching” ID, the AWS filters waved them right through. This gave them the ability to trigger a build process that held the “keys to the kingdom”—specifically, a GitHub admin token. This token wasn’t just for any random project; it belonged to the AWS JavaScript SDK, a critical piece of software used by almost every AWS customer to manage their cloud environments. With that token, an attacker could have injected malicious code directly into the official AWS source code, silently spreading a “digital virus” to every company using Amazon’s services.

The Fix and the Future of Cloud Safety

Fortunately, this story has a safe ending. Wiz followed “responsible disclosure” rules, alerting Amazon to the problem in August 2025. By September, AWS had quietly patched the hole. They fixed the broken filters, rotated all their secret keys, and added extra layers of protection to ensure that even if a filter fails in the future, a stranger can’t walk away with administrative powers.

AWS has stated there is no evidence that real-world hackers ever used this trick. Still, the discovery is a sobering reminder of how fragile the “software supply chain” can be. This isn’t the first time “pull request” triggers have caused a headache for big tech. Similar issues have popped up at Google and Microsoft, proving that even the smartest engineers in the world can be undone by a few missing characters in a line of code. For now, the cloud is safe, but “CodeBreach” serves as a permanent warning: in the digital age, your security is only as strong as your simplest filter.