The Datalogics Ecommerce Delivery WordPress plugin before 2.6.60 exposes an unauthenticated REST endpoint that allows any remote user to modify the option datalogics_token without verification. This token is subsequently used for authentication in a protected endpoint that allows users to perform arbitrary WordPress update_option() operations. Attackers can use this to enable registartion and to set the default role as Administrator.