Critical severity9.8NVD Advisory· Published Mar 11, 2026· Updated Apr 15, 2026
CVE-2026-2631
CVE-2026-2631
Description
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option datalogics_token without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress update_option() operations. Attackers can use this to enable registartion and to set the default role as Administrator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <2.6.60
Patches
Vulnerability mechanics
References
1News mentions
0No linked articles in our index yet.