CVE-2026-2631

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Datalogics Ecommerce Delivery WordPress plugin versions prior to 2.6.60

Description The Datalogics Ecommerce Delivery WordPress plugin before version 2.6.60 has an unauthenticated REST endpoint that allows remote users to modify the datalogics token option without authentication. This token is then used to authenticate requests to a protected endpoint, enabling arbitrary WordPress update option() operations. An attacker can leverage this to enable registration and set the default user role to Administrator. The affected plugin exposes an unauthenticated REST endpoint. The vulnerable parameter is datalogics token.

Recommendations Update the Datalogics Ecommerce Delivery WordPress plugin to version 2.6.60 or later.

Exploit

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-269

Related Identifiers

CVE-2026-2631

Affected Products

Undefined

CVE-2026-2631

Weakness Enumeration

Related Identifiers

Affected Products

References · 9