Home / Vulnerability Intelligence / CVE-2026-2631

CVE-2026-2631 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 11, 2026

Datalogics Ecommerce Delivery - Broken Access Control

Published: March 11, 2026Updated: March 11, 2026Remote Exploitable

Overview

Datalogics Ecommerce Delivery WordPress plugin < 2.6.60 contains a broken access control vulnerability caused by an unauthenticated REST endpoint allowing modification of 'datalogics_token', letting remote attackers perform arbitrary update_option() operations, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 17.5%(Probability of exploitation in next 30 days)

Impact

Remote attackers can modify WordPress options to enable registration and assign Administrator role, leading to full site takeover.

Mitigation

Upgrade to version 2.6.60 or later.

References

https://wpscan.com/vulnerability/c6a64f26-4007-49a1-aa69-1e3c50223ac7/

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 11, 2026

🔴 CVE-2026-2631 - Critical (9.8) The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option `datalogics_token` without verification. This token is subsequently used for authentication... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2631/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-2631
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: unconfirmed
EPSS: 17.5%
Social Posts: 1

CWE

CWE-269

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

17.5%Probability of exploitation in the next 30 days