Datalogics Ecommerce Delivery WordPress Plugin Privilege Escalation Vulnerability

A privilege escalation vulnerability has been identified in the Datalogics Ecommerce Delivery WordPress plugin, affecting versions prior to 2.6.60. The vulnerability arises from an unauthenticated REST endpoint that allows remote users to modify the 'datalogics_token' option without any verification. This token is then used to authenticate requests to a protected endpoint that permits arbitrary WordPress 'update_option()' operations. Exploiting this vulnerability could enable attackers to manipulate user registration settings and assign the Administrator role by updating the corresponding options.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation by enabling users to gain administrative rights on the WordPress site.

Reproduction

To reproduce this vulnerability, send a POST request to the '/datalogics-0/v1/update-token' endpoint with a JSON payload containing a new token value. Once the token has been updated, send another POST request to the '/datalogics-0/v1/update-settings' endpoint, using the same token and including a JSON payload that specifies 'users_can_register' as '1' and 'default_role' as 'administrator'. After these requests are processed, the WordPress site will reflect the changes by allowing user registrations and assigning the Administrator role to new users.

Remediation

Users are advised to update the Datalogics Ecommerce Delivery WordPress plugin to version 2.6.60 or later.