CVE-2026-2631
Published: 11 March 2026
Summary
CVE-2026-2631 is a critical-severity Improper Privilege Management (CWE-269) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses and limits permitted actions without identification or authentication, preventing unauthenticated modification of the datalogics_token via the exposed REST endpoint.
Enforces approved authorizations for access to sensitive functions, blocking unauthorized updates to the datalogics_token and subsequent privileged operations.
Requires timely identification and correction of flaws like the unauthenticated endpoint, mitigating the vulnerability through software remediation as in version 2.6.60.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Exposed unauthenticated REST endpoint in public-facing WordPress plugin directly enables T1190 (Exploit Public-Facing Application). Arbitrary update_option() abuse (e.g., enabling admin registration) directly facilitates T1068 (Exploitation for Privilege Escalation) to achieve full site takeover.
NVD Description
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to…
more
perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
Deeper analysisAI
CVE-2026-2631 is a high-severity vulnerability in the Datalogics Ecommerce Delivery WordPress plugin, affecting versions prior to 2.6.60. It stems from an exposed unauthenticated REST endpoint that allows any remote user to modify the `datalogics_token` option without verification. This token serves as the authentication mechanism for a protected endpoint, enabling arbitrary WordPress `update_option()` operations, and is classified under CWE-269 (Improper Privilege Management) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers with network access can exploit this by first setting a custom `datalogics_token` via the public endpoint, then using that token to access the protected endpoint. This grants the ability to execute arbitrary `update_option()` calls, such as enabling user registration and setting the default role to Administrator, which could lead to full administrative takeover of the WordPress site.
The WPScan advisory (https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/) details the issue, with mitigation achieved by updating to version 2.6.60 or later, which resolves the unauthenticated token modification exposure.
Details
- CWE(s)