CVE-2021-47932

CRITICAL

WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47932. PoCs published by spacehen.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated privilege escalation vulnerability in TheCartPress WordPress plugin by registering a new administrator account via an AJAX endpoint. It sends a crafted POST request to bypass authentication and create an admin user.

Description

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.

Exploits (1)

exploitdb WORKING POC VERIFIED
by spacehen · pythonwebappsphp
https://www.exploit-db.com/exploits/50378

This exploit demonstrates an unauthenticated privilege escalation vulnerability in TheCartPress WordPress plugin by registering a new administrator account via an AJAX endpoint. It sends a crafted POST request to bypass authentication and create an admin user.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: TheCartPress WordPress Plugin <= 1.5.3.6
No auth needed
Prerequisites: WordPress site with TheCartPress plugin installed and vulnerable
devstral-2 · analyzed May 10, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit exploit
ExploitDB-50378
https://www.exploit-db.com/exploits/50378
Product product
Official Product Homepage
https://wordpress.org/plugin/thecartpress
Third Party Advisory third-party-advisory
VulnCheck Advisory: WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated
https://www.vulncheck.com/advisories/wordpress-thecartpress-privilege-escalation-unauthenticated

Scores

CVSS v3 9.8
EPSS 0.0040
EPSS Percentile 32.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-862
Status published
Products (1)
thecartpress/TheCartPress < 1.5.3.6
Published May 10, 2026
Tracked Since May 10, 2026