Critical severity9.8NVD Advisory· Published Mar 11, 2026· Updated Apr 15, 2026

CVE-2026-2631

Description

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option datalogics_token without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress update_option() operations. Attackers can use this to enable registartion and to set the default role as Administrator.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000