CVE-2021-47932

critical

Published 2026-05-10 · Modified 2026-05-12

CVSS v3

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2

—

VIR risk

9.8

Description

WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.

Predictions

Exploit likelihood

97%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.

References

https://wordpress.org/plugin/thecartpress
https://www.exploit-db.com/exploits/50378
https://www.vulncheck.com/advisories/wordpress-thecartpress-privilege-escalation-unauthenticated

CWEs

CWE-862

Verify integrity in audit chain (admin only). AS-IS.