CVE-2026-2631
Published: 11 March 2026
Summary
CVE-2026-2631 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-2631 is a high-severity vulnerability in the Datalogics Ecommerce Delivery WordPress plugin, affecting versions prior to 2.6.60. It stems from an exposed unauthenticated REST endpoint that allows any remote user to modify the `datalogics_token` option without verification. This token serves as the authentication mechanism for a protected endpoint, enabling arbitrary WordPress `update_option()` operations, and is classified under CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers with network access can exploit this by first setting a custom `datalogics_token` via the public endpoint, then using that token to access the protected endpoint. This grants the ability to execute arbitrary `update_option()` calls, such as enabling user registration and setting the default role to Administrator, which could lead to full administrative takeover of the WordPress site.
The WPScan advisory (https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/) details the issue, with mitigation achieved by updating to version 2.6.60 or later, which resolves the unauthenticated token modification exposure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11097
Vulnerability details
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to…
more
perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed unauthenticated REST endpoint in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application). Arbitrary update_option() abuse (e.g., enabling admin registration) directly facilitates T1068 (Exploitation for Privilege Escalation) to achieve full site takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses and limits permitted actions without identification or authentication, preventing unauthenticated modification of the datalogics_token via the exposed REST endpoint.
Enforces approved authorizations for access to sensitive functions, blocking unauthorized updates to the datalogics_token and subsequent privileged operations.
Requires timely identification and correction of flaws like the unauthenticated endpoint, mitigating the vulnerability through software remediation as in version 2.6.60.