WordPress TheCartPress creates admin accounts (CVE-2021-47932)

Patch now - CVE-2021-47932 is a critical privilege escalation vulnerability in WordPress TheCartPress 1.5.3.6 that lets unauthenticated attackers create administrator accounts and take full control of the site. No patch is available for this abandoned plugin; immediate removal is the only safe action.

Overview

CVE-2021-47932 allows an attacker with no authentication to send a crafted POST request to the tcp_register_and_login_ajax AJAX action, setting the tcp_role parameter to administrator. The plugin accepts this request and creates a new WordPress user with full administrative privileges. The attacker then logs in automatically and gains complete control over the WordPress installation.

The vulnerability carries a CVSS score of 9.8 (Critical) because it requires no authentication, no user interaction, no special network access, and has low attack complexity. Any attacker who can reach the WordPress site can exploit it.

TheCartPress was a popular e-commerce plugin for WordPress but appears to be abandoned. Version 1.5.3.6 is the last known release, and no security update has been issued for this vulnerability.

Impact

A successful attacker gains full administrative access to the WordPress dashboard. From there they can:

• Install malicious plugins and themes
• Modify or delete site content and databases
• Redirect visitors to phishing or malware pages
• Steal customer data if the site processed payments
• Use the compromised server as a pivot point for further attacks

Remediation

No patch is available from the plugin developer. The only safe remediation is to immediately remove or replace TheCartPress. Deactivate and delete the plugin from your WordPress installation.

If you rely on TheCartPress functionality, migrate to a supported e-commerce plugin like WooCommerce before removing the old plugin. Audit your WordPress user accounts after removal to ensure no unauthorized admin accounts were created.

For sites that cannot immediately remove the plugin, block access to the AJAX handler at the web application firewall (WAF) or server level. Block POST requests to wp-admin/admin-ajax.php where the action parameter equals tcp_register_and_login_ajax. This is a temporary mitigation only; removal remains the definitive fix.

Security Insight

This vulnerability illustrates the danger of abandoned plugins in the WordPress ecosystem. TheCartPress was once a popular choice for e-commerce, but without continued development, it becomes a ticking time bomb. WordPress site owners must audit their plugin inventory regularly and replace any plugin that has not received updates in over a year. The same pattern - an AJAX handler without authentication checks - has appeared in dozens of WordPress plugin vulnerabilities, and it remains one of the most common and dangerous classes of flaws in the ecosystem.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs