CVE-2026-2631 | THREATINT

Description

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

PUBLISHED Reserved 2026-02-17 | Published 2026-03-11 | Updated 2026-03-11 | Assigner WPScan

Problem types

CWE-269 Improper Privilege Management

Product status

Default status

unaffected

Any version before 2.6.60

affected

Credits

Khaled Alenazi (Nxploited) finder

WPScan coordinator

References

wpscan.com/...rability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/ exploit vdb-entry technical-description

cve.org (CVE-2026-2631)

nvd.nist.gov (CVE-2026-2631)

Download JSON