Skip to content
Threat Feed
critical advisory

CVE-2021-47932: WordPress TheCartPress Unauthenticated Privilege Escalation

WordPress TheCartPress version 1.5.3.6 contains an unauthenticated privilege escalation vulnerability, CVE-2021-47932, allowing attackers to create administrator accounts via crafted POST requests to the AJAX handler.

CVE-2021-47932 affects WordPress TheCartPress version 1.5.3.6. This vulnerability allows unauthenticated attackers to escalate privileges and create administrator accounts. The attack involves sending a specifically crafted POST request to the AJAX handler, enabling the attacker to gain full administrative access to the WordPress site without needing existing credentials. This vulnerability was reported on May 10, 2026. Successful exploitation leads to a complete compromise of the affected WordPress installation.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site running TheCartPress version 1.5.3.6.
  2. The attacker crafts a POST request targeting the tcp_register_and_login_ajax action.
  3. The POST request includes the tcp_role parameter set to administrator.
  4. The attacker sends the crafted POST request to the WordPress site’s AJAX handler (/wp-admin/admin-ajax.php).
  5. The vulnerable code in TheCartPress plugin processes the request without proper authentication or authorization checks.
  6. A new administrator account is created with the credentials specified in the POST request.
  7. The attacker logs in to the WordPress site using the newly created administrator account.
  8. The attacker gains full control over the WordPress site, including the ability to modify content, install plugins, and manage users.

Impact

Successful exploitation of CVE-2021-47932 allows attackers to gain complete administrative control over the affected WordPress site. This can lead to website defacement, data theft, malware distribution, and further compromise of the server. The impact is critical due to the ease of exploitation and the high level of access gained.

Recommendation

  • Apply available patches or updates for TheCartPress plugin if available from the vendor.
  • Deploy the Sigma rule to detect POST requests to /wp-admin/admin-ajax.php with tcp_register_and_login_ajax action and tcp_role set to administrator.
  • Monitor web server logs for suspicious POST requests to the AJAX handler.
  • Implement web application firewall (WAF) rules to block requests exploiting CVE-2021-47932.

Detection coverage 2

Detect CVE-2021-47932 Exploitation Attempt — TheCartPress Privilege Escalation

critical

Detects CVE-2021-47932 exploitation attempt — POST request to WordPress AJAX handler with TheCartPress administrator registration.

sigma tactics: initial_access, privilege_escalation techniques: T1190 sources: webserver

Detect Suspicious TheCartPress AJAX Action

medium

Detects potentially malicious AJAX requests targeting the TheCartPress plugin.

sigma tactics: initial_access, privilege_escalation sources: webserver

Detection queries are available on the platform. Get full rules →