Executive Summary
A critical privilege escalation vulnerability (CVE-2021-47932) has been identified in the TheCartPress plugin for WordPress, affecting version 1.5.3.6 and earlier. The flaw carries a CVSS score of 9.8 and allows unauthenticated attackers to create new WordPress administrator accounts on any affected site.
The root cause is an unprotected AJAX handler (tcp_register_and_login_ajax) that accepts user-controlled role values without authentication or authorization checks. An attacker can POST a crafted request setting tcp_role to administrator, causing the plugin to register a fully privileged account — giving the attacker complete control over the WordPress installation.
All WordPress sites running TheCartPress version 1.5.3.6 or earlier should update or deactivate the plugin immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2021-47932 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-269 — Improper Privilege Management |
| Type | Unauthenticated Privilege Escalation / Admin Account Creation |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Check plugin repository for updated release |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| TheCartPress | <= 1.5.3.6 | Update to patched release |
Technical Analysis
Root Cause
TheCartPress 1.5.3.6 registers an AJAX action — tcp_register_and_login_ajax — that is accessible to unauthenticated users (wp_ajax_nopriv_). The handler processes user registration including role assignment. Critically, the tcp_role parameter accepted in the POST body is not validated against an allowed set of safe values.
An attacker can pass tcp_role=administrator directly in the registration request. Because the handler does not verify whether the requester is authorized to assign elevated roles, it creates a WordPress user with administrator capability.
Attack Flow
1. Attacker identifies a WordPress site running TheCartPress <= 1.5.3.6
2. Attacker sends an unauthenticated POST request:
POST /wp-admin/admin-ajax.php
action=tcp_register_and_login_ajax
&tcp_user_login=attacker_user
&tcp_user_email=attacker@evil.com
&tcp_user_pass=AttackerPassword123!
&tcp_role=administrator
3. Plugin processes the registration without validating tcp_role
4. WordPress creates a new user with administrator role
5. Attacker logs in with the new credentials
6. Full WordPress admin access: themes, plugins, files, database, users
7. Attacker installs a webshell plugin or adds a backdoor PHP fileExploitation Conditions
- TheCartPress version 1.5.3.6 or earlier must be installed and active
- No authentication required
- No other preconditions — attack is fully remote and unauthenticated
- Exploit can be automated; no user interaction on the victim side
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Admin Takeover | Attacker gains WordPress administrator privileges |
| Site Defacement | Admin can modify themes, content, and appearance |
| Webshell Installation | Malicious plugins or PHP file uploads for persistent RCE |
| User Data Theft | Access to all WordPress user accounts, emails, and metadata |
| WooCommerce / eCommerce Compromise | Order data, customer PII, payment details accessible |
| SEO Poisoning | Injection of spam links or malicious redirects |
| Hosting Pivot | Shared hosting environments can expose adjacent sites |
| Ransomware Staging | Platform for hosting phishing or malware delivery infrastructure |
Immediate Remediation
Step 1: Update or Deactivate TheCartPress
Check the plugin repository for a patched version of TheCartPress. If no patch is available, deactivate and remove the plugin immediately.
# Via WP-CLI — check current version
wp plugin get thecartpress --field=version
# Update if a new version is available
wp plugin update thecartpress
# If no patch exists — deactivate and delete
wp plugin deactivate thecartpress
wp plugin delete thecartpressStep 2: Audit for Unauthorized Administrator Accounts
# List all administrator accounts
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered
# Check for recently created admin accounts (last 7 days)
wp db query "SELECT ID, user_login, user_email, user_registered
FROM wp_users u
JOIN wp_usermeta m ON u.ID = m.user_id
WHERE m.meta_key = 'wp_capabilities'
AND m.meta_value LIKE '%administrator%'
AND u.user_registered > DATE_SUB(NOW(), INTERVAL 7 DAY);"
# Remove suspicious accounts
wp user delete <suspicious_user_id> --reassign=<trusted_admin_id>Step 3: Block the Vulnerable AJAX Action (Temporary Workaround)
If the plugin cannot be deactivated immediately, block the vulnerable AJAX endpoint at the server level:
# Nginx — block the vulnerable action
location /wp-admin/admin-ajax.php {
if ($arg_action = "tcp_register_and_login_ajax") {
return 403;
}
}# Apache — block via RewriteRule
RewriteCond %{QUERY_STRING} action=tcp_register_and_login_ajax [NC]
RewriteRule ^ - [F,L]Step 4: Harden WordPress User Registration
# Disable open user registration if not needed
wp option update users_can_register 0
# Set default role to subscriber (never administrator)
wp option update default_role subscriber
# Regenerate WordPress secret keys to invalidate existing sessions
wp config shuffle-saltsDetection Indicators
| Indicator | Description |
|---|---|
| New administrator accounts created in last 24-72 hours | Post-exploitation account creation |
POST requests to admin-ajax.php with tcp_register_and_login_ajax action | Active exploitation attempt |
| Admin logins from unfamiliar IPs or geolocations | Unauthorized admin session |
| New plugins installed or file system changes | Post-exploitation persistence |
| Unusual content changes, injected links, or redirects | Active defacement or SEO spam |
Post-Remediation Checklist
- Update or remove TheCartPress plugin immediately
- Audit all administrator accounts — delete any that are unauthorized
- Reset passwords for all legitimate administrator accounts
- Regenerate WordPress secret keys to invalidate all active sessions
- Scan for webshells in wp-content/ and plugin directories
- Review plugin list for unauthorized installations
- Check file modification timestamps for PHP files altered after the attack window
- Enable two-factor authentication on all administrator accounts
- Deploy a WAF with WordPress hardening rules (Wordfence, Cloudflare)
- Monitor admin user creation with an alerting plugin or SIEM integration