CVE-2026-2631

CRITICAL

Datalogics Ecommerce Delivery <2.6.60 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-2631. PoCs published by AnggaTechI, Nxploited.

AI-analyzed exploit summary This repository contains an asynchronous scanner for CVE-2026-2631, targeting WordPress sites by sending POST requests to `/wp-json/gsf/v1/update-options` to check for vulnerability. It validates targets by checking for a specific success pattern in the response and logs vulnerable sites.

Description

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

Exploits (2)

nomisec SCANNER 2 stars
by AnggaTechI · poc
https://github.com/AnggaTechI/Mass-Scanner-CVE-2026-2631

This repository contains an asynchronous scanner for CVE-2026-2631, targeting WordPress sites by sending POST requests to `/wp-json/gsf/v1/update-options` to check for vulnerability. It validates targets by checking for a specific success pattern in the response and logs vulnerable sites.

Classification
Scanner 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: WordPress (specific version not specified)
No auth needed
Prerequisites: list of target URLs · Python 3.10+ · aiohttp library
devstral-2 · analyzed Apr 18, 2026 Full analysis →
nomisec WORKING POC
by Nxploited · poc
https://github.com/Nxploited/CVE-2026-2631

This repository contains a functional exploit PoC for CVE-2026-2631, targeting a WordPress vulnerability. The exploit automates the process of resetting store configurations, enabling user registration, setting default roles to administrator, and registering a new admin user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: WordPress (specific version not specified)
No auth needed
Prerequisites: Target WordPress site with vulnerable plugin/API endpoint
devstral-2 · analyzed Mar 20, 2026 Full analysis →

References (1)

Core 1
Core References
Third Party Advisory exploit vdb-entry technical-description
https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/

Scores

CVSS v3 9.8
EPSS 0.0008
EPSS Percentile 24.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-269
Status published
Published Mar 11, 2026
Tracked Since Mar 11, 2026