Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated WordPress plugin endpoint reachable over the network with no user interaction; successful privilege escalation to admin yields full C/I/A compromise of the site.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.
AnalysisAI
Unauthenticated privilege escalation in the Datalogics Ecommerce Delivery WordPress plugin (versions ≤ 2.6.62) allows remote attackers to gain elevated privileges on affected WordPress sites without any credentials or user interaction. The flaw, tracked by Patchstack and assigned a CVSS 9.8, enables full compromise of site integrity and confidentiality; no public exploit identified at time of analysis, but the network-reachable, no-auth nature makes opportunistic exploitation likely once details circulate.
Technical ContextAI
The affected component is the Datalogics Ecommerce Delivery plugin for WordPress, a third-party extension that integrates shipping/delivery functionality into WooCommerce-style storefronts. The CWE-266 (Incorrect Privilege Assignment) classification indicates the plugin assigns privileges to a user, role, or request context that should not have them - typically because a privileged action handler is registered on a public AJAX/REST endpoint (e.g., wp_ajax_nopriv_*) or fails to call current_user_can() / verify a nonce before changing a user's role, capabilities, or meta. CPE cpe:2.3:a:datalogics:datalogics_ecommerce_delivery confirms the issue is plugin-scoped rather than a flaw in WordPress core.
RemediationAI
Upstream fix availability is not independently confirmed in the provided data - the Patchstack entry references the vulnerable range (≤ 2.6.62) but no patched version is cited, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/datalogics/vulnerability/wordpress-datalogics-ecommerce-delivery-plugin-2-6-62-privilege-escalation-vulnerability) and the vendor's plugin page on wordpress.org for a release newer than 2.6.62, applying it immediately once available. Until a fixed version is confirmed, the safest compensating control is to deactivate and remove the Datalogics Ecommerce Delivery plugin (side effect: loss of delivery integration functionality on the storefront); short of that, restrict access to /wp-admin/admin-ajax.php and the WordPress REST API endpoints exposed by the plugin via a WAF rule or .htaccess IP allowlist (side effect: may break legitimate front-end checkout flows that rely on those endpoints), and audit wp_users / wp_usermeta for unexpected administrator-role assignments created since the plugin was installed.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36966
GHSA-x49r-2376-h28q