Skip to main content

Datalogics Ecommerce Delivery CVE-2026-39583

| EUVDEUVD-2026-36966 CRITICAL
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-x49r-2376-h28q
9.8
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated WordPress plugin endpoint reachable over the network with no user interaction; successful privilege escalation to admin yields full C/I/A compromise of the site.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 15, 2026 - 22:17 vuln.today
CVE Published
Jun 15, 2026 - 20:18 cve.org
CRITICAL 9.8

DescriptionCVE.org

Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.

AnalysisAI

Unauthenticated privilege escalation in the Datalogics Ecommerce Delivery WordPress plugin (versions ≤ 2.6.62) allows remote attackers to gain elevated privileges on affected WordPress sites without any credentials or user interaction. The flaw, tracked by Patchstack and assigned a CVSS 9.8, enables full compromise of site integrity and confidentiality; no public exploit identified at time of analysis, but the network-reachable, no-auth nature makes opportunistic exploitation likely once details circulate.

Technical ContextAI

The affected component is the Datalogics Ecommerce Delivery plugin for WordPress, a third-party extension that integrates shipping/delivery functionality into WooCommerce-style storefronts. The CWE-266 (Incorrect Privilege Assignment) classification indicates the plugin assigns privileges to a user, role, or request context that should not have them - typically because a privileged action handler is registered on a public AJAX/REST endpoint (e.g., wp_ajax_nopriv_*) or fails to call current_user_can() / verify a nonce before changing a user's role, capabilities, or meta. CPE cpe:2.3:a:datalogics:datalogics_ecommerce_delivery confirms the issue is plugin-scoped rather than a flaw in WordPress core.

RemediationAI

Upstream fix availability is not independently confirmed in the provided data - the Patchstack entry references the vulnerable range (≤ 2.6.62) but no patched version is cited, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/datalogics/vulnerability/wordpress-datalogics-ecommerce-delivery-plugin-2-6-62-privilege-escalation-vulnerability) and the vendor's plugin page on wordpress.org for a release newer than 2.6.62, applying it immediately once available. Until a fixed version is confirmed, the safest compensating control is to deactivate and remove the Datalogics Ecommerce Delivery plugin (side effect: loss of delivery integration functionality on the storefront); short of that, restrict access to /wp-admin/admin-ajax.php and the WordPress REST API endpoints exposed by the plugin via a WAF rule or .htaccess IP allowlist (side effect: may break legitimate front-end checkout flows that rely on those endpoints), and audit wp_users / wp_usermeta for unexpected administrator-role assignments created since the plugin was installed.

Share

CVE-2026-39583 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy