WordPress Datalogics Ecommerce Delivery plugin allows unauthorized config changes

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

WordPress Datalogics Ecommerce Delivery plugin allows unauthorized config changes

CVE-2026-2631

Summary

A security issue in the Datalogics Ecommerce Delivery WordPress plugin allows anyone to modify a critical configuration setting without a password. This could allow attackers to enable user registration and make administrators out of anyone. Update to the latest version (2.6.60 or later) to fix this issue.

Original title

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. ...

Original description

The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.

Vulnerability type

CWE-269 Improper Privilege Management

https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026