WordPress TheCartPress Unauthenticated Admin Creation (CVE-2021-47932)
The National Vulnerability Database has detailed CVE-2021-47932, a critical unauthenticated privilege escalation vulnerability in WordPress TheCartPress plugin version 1.5.3.6. This flaw allows attackers to create administrator accounts by submitting crafted requests to the plugin’s AJAX handler. Specifically, a malicious actor can send a POST request to the tcp_register_and_login_ajax action, setting the tcp_role parameter to administrator.
This simple, unauthenticated request grants full administrative access to the WordPress site, bypassing all security controls. The National Vulnerability Database assigns this a CVSS score of 9.8 (CRITICAL), highlighting the severe impact and ease of exploitation. The core issue is an improper authorization vulnerability (CWE-862) where the role assignment is not adequately validated.
Organizations running WordPress sites with TheCartPress plugin are directly exposed. An attacker leveraging this vulnerability gains complete control over the compromised website, enabling data theft, website defacement, or further lateral movement within the hosting environment. Patching or removing the vulnerable plugin is the only viable defense against this severe threat.
What This Means For You
- If your organization uses WordPress with TheCartPress plugin, specifically version 1.5.3.6 or earlier, you are critically exposed. Immediately identify and update TheCartPress to a patched version or disable/remove the plugin if an update is not available. Audit your WordPress user accounts for any newly created, unauthorized administrator accounts.
Related ATT&CK Techniques
🛡️ Detection Rules
1 rule · 6 SIEM formats1 detection rule auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2021-47932 - TheCartPress Unauthenticated Admin Creation
title: CVE-2021-47932 - TheCartPress Unauthenticated Admin Creation
id: scw-2026-05-10-ai-1
status: experimental
level: critical
description: |
Detects the specific AJAX action and parameter used by CVE-2021-47932 to create an unauthenticated administrator account in WordPress via the TheCartPress plugin.
author: SCW Feed Engine (AI-generated)
date: 2026-05-10
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2021-47932/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-method:
- 'POST'
uri|contains:
- '/wp-admin/admin-ajax.php'
cs-uri-query|contains:
- 'tcp_register_and_login_ajax'
cs-uri-query|contains:
- 'tcp_role=administrator'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2021-47932 | Privilege Escalation | WordPress TheCartPress plugin version 1.5.3.6 |
| CVE-2021-47932 | Privilege Escalation | Unauthenticated administrator account creation |
| CVE-2021-47932 | Privilege Escalation | POST request to AJAX handler with tcp_register_and_login_ajax action and tcp_role=administrator |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 10, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection
CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...
CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)
CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...
TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands
CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...