{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2631", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "state": "PUBLISHED", "assignerShortName": "WPScan", "dateReserved": "2026-02-17T15:27:51.784Z", "datePublished": "2026-03-11T06:00:11.163Z", "dateUpdated": "2026-03-11T13:26:10.077Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-11T06:00:11.163Z"}, "title": "Datalogics Ecommerce Delivery < 2.6.60 - Unauthenticated Privilege Escalation", "problemTypes": [{"descriptions": [{"description": "CWE-269 Improper Privilege Management", "lang": "en", "type": "CWE"}]}], "affected": [{"vendor": "Unknown", "product": "Datalogics Ecommerce Delivery", "versions": [{"status": "affected", "versionType": "semver", "version": "0", "lessThan": "2.6.60"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator."}], "references": [{"url": "https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "credits": [{"lang": "en", "value": "Khaled Alenazi (Nxploited)", "type": "finder"}, {"lang": "en", "value": "WPScan", "type": "coordinator"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "WPScan CVE Generator"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-269", "lang": "en", "description": "CWE-269 Improper Privilege Management"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T13:25:32.340900Z", "id": "CVE-2026-2631", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:26:10.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2631", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T13:25:32.340900Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-269", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T13:24:13.338Z"}}], "cna": {"title": "Datalogics Ecommerce Delivery < 2.6.60 - Unauthenticated Privilege Escalation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Khaled Alenazi (Nxploited)"}, {"lang": "en", "type": "coordinator", "value": "WPScan"}], "affected": [{"vendor": "Unknown", "product": "Datalogics Ecommerce Delivery", "versions": [{"status": "affected", "version": "0", "lessThan": "2.6.60", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/", "tags": ["exploit", "vdb-entry", "technical-description"]}], "x_generator": {"engine": "WPScan CVE Generator"}, "descriptions": [{"lang": "en", "value": "The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-269 Improper Privilege Management"}]}], "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2026-03-11T06:00:11.163Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2631", "state": "PUBLISHED", "dateUpdated": "2026-03-11T13:26:10.077Z", "dateReserved": "2026-02-17T15:27:51.784Z", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "datePublished": "2026-03-11T06:00:11.163Z", "assignerShortName": "WPScan"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator."}, {"lang": "es", "value": "El plugin de WordPress Datalogics Ecommerce Delivery anterior a 2.6.60 expone un endpoint REST no autenticado que permite a cualquier usuario remoto modificar la opci\u00f3n 'datalogics_token' sin verificaci\u00f3n. Este token se utiliza posteriormente para autenticaci\u00f3n en un endpoint protegido que permite a los usuarios realizar operaciones arbitrarias de WordPress 'update_option()'. Los atacantes pueden usar esto para habilitar el registro y establecer el rol predeterminado como Administrador."}], "id": "CVE-2026-2631", "lastModified": "2026-04-15T15:05:47.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T06:17:14.467", "references": [{"source": "contact@wpscan.com", "url": "https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.6.60)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}]}, "original": {"product": "Datalogics Ecommerce Delivery", "source": "cna", "vendor": "Unknown"}, "product": "datalogics_ecommerce_delivery", "vendor": "datalogics_ecommerce_delivery"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T15:32:18.584119+00:00", "value": {"mitigation_remediation": ["Apply the latest version of the Datalogics Ecommerce Delivery plugin (2.6.60 or newer).", "If an upgrade is not possible, disable the plugin or remove the unauthenticated REST endpoint.", "Restrict REST API access to the plugin\u2019s endpoints using firewall or authentication rules as a temporary workaround.", "Review and audit WordPress user accounts and options for unauthorized changes, especially new Administrator accounts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All WordPress installations that use the Datalogics Ecommerce Delivery plugin with a version earlier than 2.6.60 are affected. The plugin is identified as Unknown:Datalogics Ecommerce Delivery.", "description_and_impact": "The vulnerability is caused by an unauthenticated REST endpoint in the Datalogics Ecommerce Delivery plugin that allows any remote user to modify the critical option datalogics_token without verification. This token is later used for authentication in a protected endpoint that allows arbitrary WordPress update_option() operations. An attacker can therefore enable user registration, set the default role to Administrator, and gain unrestricted administrative privileges. The consequence is full privilege escalation, enabling the attacker to modify site settings, user roles, install plugins or themes, and potentially compromise the entire WordPress installation.", "risk_and_exploitability": "The CVSS score is 9.8, indicating critical severity. EPSS is below 1%, implying that current exploit prevalence is low, but the vulnerability is still highly dangerous. It is not listed in the CISA KEV catalog. Exploitation only requires unauthenticated access to the website\u2019s REST API; attackers can send arbitrary requests to set datalogics_token and then invoke the protected option update endpoint, resulting in privilege escalation."}}}}, "created": "2026-03-12T10:06:23.769296+00:00", "updated": "2026-03-20T14:37:44.390173+00:00", "vendors": ["datalogics_ecommerce_delivery", "datalogics_ecommerce_delivery$PRODUCT$datalogics_ecommerce_delivery", "wordpress", "wordpress$PRODUCT$wordpress"]}