CVE-2026-2631

CRITICAL

Datalogics Ecommerce Delivery <2.6.60 - Privilege Escalation

Title source: llm

Description

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

Exploits (1)

nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2026-2631

References (1)

Scores

CVSS v3 9.8
EPSS 0.0007
EPSS Percentile 22.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-269
Status published
Published Mar 11, 2026
Tracked Since Mar 11, 2026