Introduction
An abandoned WordPress e-commerce plugin with no available patch still exposes hundreds of sites to full administrative takeover via a single unauthenticated HTTP request. CVE-2021-47932 targets TheCartPress, a WordPress shopping cart plugin that was last updated in January 2017 and permanently removed from the WordPress plugin repository in October 2021 due to this exact security issue.
TheCartPress was a free, open source e-commerce solution for WordPress that provided shopping cart, product catalog, and checkout functionality. Over its lifetime, the plugin accumulated more than 200,000 downloads according to Wordfence. Despite its removal from the repository, approximately 500 active installations remain, representing a residual but real attack surface.
Technical Information
The root cause of CVE-2021-47932 is a missing authorization check (CWE-862) in the plugin's AJAX registration handler. The vulnerable function, tcp_register_and_login_ajax, is registered using a WordPress "nopriv" hook. In WordPress plugin development, the wp_ajax_nopriv_ prefix makes an AJAX action accessible to users who are not logged in. This is appropriate for actions like login or public search, but it is dangerous when the handler performs privileged operations without verifying the caller's identity or permissions.
The function directly reads the tcp_role parameter from the incoming POST request and assigns that role to the newly created WordPress user. There is no check to confirm whether the requester is authorized to create users, and critically, there is no restriction on which roles can be assigned. An attacker can simply set tcp_role to administrator and receive a fully privileged account.
Attack Flow
The exploitation path is straightforward:
- The attacker identifies a WordPress site running TheCartPress (version 1.5.3.6 or earlier).
- The attacker sends a POST request to
wp-admin/admin-ajax.phpon the target site. - The POST body includes the following parameters:
| Parameter | Value | Purpose |
|---|---|---|
| action | tcp_register_and_login_ajax | Targets the vulnerable AJAX handler |
| tcp_role | administrator | Grants full administrative privileges |
| tcp_new_user_name | Arbitrary string | Sets the new administrator username |
| tcp_new_user_pass | Arbitrary string | Sets the new administrator password |
| tcp_new_user_email | Arbitrary email | Sets the new administrator email address |
- The server processes the request, creates a new user with the
administratorrole, and returns an empty string response on success. - The attacker logs in with the newly created credentials and has full administrative control over the WordPress installation.
A public proof of concept script written in Python has been available on Exploit-DB since October 2021. The script automates this entire flow and verifies success by checking for an empty string response from the server. If a Web Application Firewall is properly configured to block the request, the server returns a 403 Forbidden error instead.
The CVSS score for this vulnerability is 9.8 (Critical) according to Patchstack and WPScan. VulnCheck assigns a CVSS v4 score of 9.3. The critical rating reflects the fact that exploitation requires no authentication, no user interaction, and results in complete compromise of the WordPress installation.
Affected Systems and Versions
All versions of the WordPress TheCartPress plugin up to and including version 1.5.3.6 are affected. This is the final released version of the plugin. No patched version exists.
The plugin was permanently closed on the WordPress plugin repository on October 5, 2021. Despite this closure, Wordfence reports approximately 500 active installations remain. Any WordPress site still running TheCartPress in any version is vulnerable.
Vendor Security History
TheCartPress has a documented history of critical security vulnerabilities spanning nearly a decade:
| Vulnerability Type | Published Date | Fixed Version | CVSS Score |
|---|---|---|---|
| Unauthenticated Admin Creation | 2021-10-05 | No known fix | 9.8 |
| Multiple Vulnerabilities | 2015-04-29 | 1.3.9.3 | 7.5 |
| Remote File Inclusion | 2014-08-01 | 1.1.2 | Not Available |
| Cross Site Scripting | 2011-12-31 | 1.1.6 | Not Available |
This pattern of critical security issues, combined with the plugin's abandonment in 2017, culminated in the unpatched 2021 privilege escalation flaw that forced the plugin's permanent removal from the WordPress repository.
References
- NVD Entry for CVE-2021-47932
- WordPress Plugin Repository: TheCartPress (Closed)
- Exploit-DB: WordPress Plugin TheCartPress 1.5.3.6 Privilege Escalation
- VulnCheck Advisory: WordPress TheCartPress Privilege Escalation Unauthenticated
- Patchstack: Privilege Escalation in WordPress TheCartPress Plugin
- Patchstack: Patching an Arbitrary User Creation Security Bug in TheCartPress Plugin
- WPScan: TheCartPress eCommerce Shopping Cart
- WPScan: TheCartPress Vulnerability Detail
- Wordfence: TheCartPress eCommerce Shopping Cart



