CVE-2021-47932
published 2026-05-10CVE-2021-47932: WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.40%
32.2th percentile
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thecartpress | thecartpress | <= 1.5.3.6 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
TheCartPress up to 1.5.3.6 AJAX tcp_register_and_login_ajax authorization (Exploit 50378 / EDB-50378)
vuldb·2026-05-10·CVSS 9.3
CVE-2021-47932 [CRITICAL] TheCartPress up to 1.5.3.6 AJAX tcp_register_and_login_ajax authorization (Exploit 50378 / EDB-50378)
A vulnerability was found in TheCartPress up to 1.5.3.6. It has been rated as critical. Affected by this issue is the function tcp_register_and_login_ajax of the component AJAX Handler. The manipulation leads to missing authorization.
This vulnerability is referenced as CVE-2021-47932. Remote exploitation of the attack is possible. Furthermore, an exploit is available.
GHSA
GHSA-r2pw-m85m-3mfq: WordPress TheCartPress 1
ghsa_unreviewed·2026-05-10
CVE-2021-47932 [CRITICAL] CWE-862 GHSA-r2pw-m85m-3mfq: WordPress TheCartPress 1
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-10
Published