Unauthenticated Privilege Escalation in Datalogics Ecommerce Delivery <= 2.6.62 versions.
The vulnerability classified as CWE-266 (Incorrect Privilege Assignment) involves improper privilege assignment in the plugin. An unauthenticated attacker can invoke a specific plugin functionality, which results in granting them higher privileges than they should have. The lack of access control mechanisms allows the attack to be conducted remotely without user interaction.
An attacker can obtain elevated privileges in the WordPress system, which in practice may mean taking control of the website, modifying content, stealing data, or installing malicious software.
The Datalogics Ecommerce Delivery plugin should be updated to a version higher than 2.6.62. Detailed information about the available patch is available in the vendor's references and in the Patchstack database.
WordPress Datalogics Ecommerce Delivery plugin in versions 2.6.62 and earlier
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H