CVE-2021-47932 Overview
CVE-2021-47932 is an unauthenticated privilege escalation vulnerability in the WordPress plugin TheCartPress version 1.5.3.6. The plugin exposes an AJAX handler that accepts arbitrary role values from unauthenticated requests. Attackers can submit a crafted POST request to the tcp_register_and_login_ajax action with tcp_role set to administrator and obtain full administrative access to the WordPress site. The vulnerability maps to missing authorization [CWE-862] and carries a CVSS 4.0 score of 9.3.
Critical Impact
Unauthenticated attackers can create WordPress administrator accounts remotely, leading to full site takeover, content manipulation, and arbitrary plugin or theme installation.
Affected Products
- WordPress plugin TheCartPress 1.5.3.6
- WordPress sites with the TheCartPress eCommerce plugin enabled
- Any deployment exposing the admin-ajax.php endpoint of an affected installation
Discovery Timeline
- 2026-05-10 - CVE-2021-47932 published to the National Vulnerability Database (NVD)
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2021-47932
Vulnerability Analysis
TheCartPress registers an AJAX action handler named tcp_register_and_login_ajax that is accessible to both authenticated and unauthenticated users through WordPress admin-ajax.php. The handler accepts user-supplied registration parameters, including a tcp_role field, and uses that value when creating the new WordPress user account.
The plugin does not validate or restrict the role value submitted by the client. As a result, an attacker can pass administrator as the requested role and the plugin creates a privileged account on their behalf. No nonce, capability check, or authentication is required to reach the vulnerable code path.
Once the account is created, the attacker can log in through the standard WordPress login form and gain full control of the site. The flaw is documented in the VulnCheck Advisory on WordPress TheCartPress and the Exploit-DB entry #50378.
Root Cause
The root cause is missing authorization combined with improper input validation in the registration AJAX handler. The plugin trusts a client-controlled role parameter and passes it directly into the user creation routine. WordPress role assignment must be performed server-side using a fixed default role or a value gated by a capability check such as current_user_can('promote_users').
Attack Vector
The attack is fully remote and unauthenticated over the network. An attacker sends an HTTP POST request to wp-admin/admin-ajax.php with action=tcp_register_and_login_ajax, supplies registration fields such as username, password, and email, and sets tcp_role=administrator. The server responds by creating the requested administrator account, after which the attacker authenticates normally and proceeds with post-exploitation actions such as uploading malicious plugins or web shells.
A verified proof-of-concept request structure is published in the Exploit-DB entry #50378.
Detection Methods for CVE-2021-47932
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing the parameter action=tcp_register_and_login_ajax from unauthenticated sources.
- Request bodies containing tcp_role=administrator or other elevated WordPress role values.
- Unexpected new WordPress users with the administrator role created shortly after suspicious AJAX traffic.
- Plugin installation, theme modification, or wp-content/uploads file uploads performed by newly created accounts.
Detection Strategies
- Audit the WordPress wp_users and wp_usermeta tables for accounts assigned the administrator capability that were not provisioned by site administrators.
- Inspect web server access logs for POST requests to admin-ajax.php referencing the tcp_register_and_login_ajax action.
- Correlate new user registration events with subsequent privileged actions such as plugin uploads or option changes.
Monitoring Recommendations
- Enable WordPress audit logging for user creation, role changes, and plugin installation events.
- Forward web server and WordPress logs to a centralized analytics platform for retention and correlation.
- Alert on any AJAX action containing role-related parameters submitted without an authenticated session cookie.
How to Mitigate CVE-2021-47932
Immediate Actions Required
- Deactivate and remove TheCartPress 1.5.3.6 from all WordPress installations until a fixed release is confirmed.
- Review all WordPress accounts and delete any unauthorized administrator users, then rotate credentials for legitimate administrators.
- Restore the site from a known-good backup if unauthorized administrative activity is observed.
- Inspect wp-content/plugins and wp-content/uploads for files added by attacker-controlled accounts.
Patch Information
No vendor patch is referenced in the available advisories. Site operators should monitor the official WordPress Plugin: TheCartPress listing for an updated release and apply it as soon as it becomes available. Until then, treat the plugin as end-of-life and replace it with a maintained eCommerce alternative.
Workarounds
- Block requests to admin-ajax.php where the action parameter equals tcp_register_and_login_ajax using a web application firewall rule.
- Disable user registration in WordPress under Settings → General by clearing the "Anyone can register" option.
- Restrict access to wp-admin/admin-ajax.php from untrusted networks where feasible.
- Replace TheCartPress with an actively maintained eCommerce plugin that receives security updates.
# Example WAF rule (ModSecurity) to block the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1047932,\
msg:'Block CVE-2021-47932 TheCartPress privilege escalation'"
SecRule ARGS:action "@streq tcp_register_and_login_ajax"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
