The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress `update_option()` operations. Attackers can use this to enable registartion and to set the default role as Administrator.
CVE-2026-2631
NONE
EPSS 0.18%
Updated Mar 11, 2026
WordPress
CVE Details
CVE ID
CVE-2026-2631
Published Date
Mar 11, 2026
Vendor
WordPress
Severity
NONE
Exploit Prediction (EPSS)
Probability of Exploit
0.18%
Likelihood of exploitation in next 30 days
Percentile:
38.8th percentile (higher than 38.8% of all CVEs)
Standard patching cycle
Impact
Minimal impact
Source
View Advisory