CVE-2026-2631
The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
Vendor
-
Product
-
CWE
Yayın Tarihi
2026-03-11 06:17:14
Güncelleme
2026-03-11 14:16:27
Source Identifier
contact@wpscan.com
KEV Date Added
-