A critical vulnerability in the Datalogics Ecommerce Delivery WordPress plugin allows unauthenticated attackers to escalate privileges to Administrator by manipulating site configuration options.

This flaw exists in an unauthenticated REST endpoint that permits the modification of the datalogics_token option. An attacker can exploit this lack of verification to authenticate against a protected endpoint and execute arbitrary update_option() calls, enabling user registration and setting the default role to Administrator.

A successful exploit grants an attacker full control over the WordPress environment. By enabling registration and promoting themselves to the Administrator role, attackers can steal sensitive customer data, deface the website, or deploy malware. The CVSS score of 9.8 reflects the critical nature of this unauthenticated remote privilege escalation.

Immediate Action: Update the Datalogics Ecommerce Delivery plugin to version 2.6.60 or later immediately to patch the vulnerable REST endpoint.

Proactive Monitoring: Review WordPress user logs for unauthorized new Administrator accounts and inspect the wp_options table for unexpected changes to the default_role or users_can_register settings.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules designed to block unauthorized requests to WordPress REST API endpoints, specifically those targeting plugin-specific options.

Public Exploit Available: false

This vulnerability represents a total loss of confidentiality, integrity, and availability for affected WordPress sites. IT administrators must prioritize this update, as the ability for unauthenticated users to modify core site options is a worst-case scenario. Apply the version 2.6.60 patch immediately.