ZeroPath at Black Hat USA 2026

Brief Summary: WordPress TheCartPress CVE-2021-47932 Unauthenticated Privilege Escalation to Administrator

A brief summary of CVE-2021-47932, a critical unauthenticated privilege escalation vulnerability in the abandoned WordPress TheCartPress plugin that allows attackers to create administrator accounts via a single crafted POST request.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-10

Brief Summary: WordPress TheCartPress CVE-2021-47932 Unauthenticated Privilege Escalation to Administrator
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An abandoned WordPress e-commerce plugin with no available patch still exposes hundreds of sites to full administrative takeover via a single unauthenticated HTTP request. CVE-2021-47932 targets TheCartPress, a WordPress shopping cart plugin that was last updated in January 2017 and permanently removed from the WordPress plugin repository in October 2021 due to this exact security issue.

TheCartPress was a free, open source e-commerce solution for WordPress that provided shopping cart, product catalog, and checkout functionality. Over its lifetime, the plugin accumulated more than 200,000 downloads according to Wordfence. Despite its removal from the repository, approximately 500 active installations remain, representing a residual but real attack surface.

Technical Information

The root cause of CVE-2021-47932 is a missing authorization check (CWE-862) in the plugin's AJAX registration handler. The vulnerable function, tcp_register_and_login_ajax, is registered using a WordPress "nopriv" hook. In WordPress plugin development, the wp_ajax_nopriv_ prefix makes an AJAX action accessible to users who are not logged in. This is appropriate for actions like login or public search, but it is dangerous when the handler performs privileged operations without verifying the caller's identity or permissions.

The function directly reads the tcp_role parameter from the incoming POST request and assigns that role to the newly created WordPress user. There is no check to confirm whether the requester is authorized to create users, and critically, there is no restriction on which roles can be assigned. An attacker can simply set tcp_role to administrator and receive a fully privileged account.

Attack Flow

The exploitation path is straightforward:

  1. The attacker identifies a WordPress site running TheCartPress (version 1.5.3.6 or earlier).
  2. The attacker sends a POST request to wp-admin/admin-ajax.php on the target site.
  3. The POST body includes the following parameters:
ParameterValuePurpose
actiontcp_register_and_login_ajaxTargets the vulnerable AJAX handler
tcp_roleadministratorGrants full administrative privileges
tcp_new_user_nameArbitrary stringSets the new administrator username
tcp_new_user_passArbitrary stringSets the new administrator password
tcp_new_user_emailArbitrary emailSets the new administrator email address
  1. The server processes the request, creates a new user with the administrator role, and returns an empty string response on success.
  2. The attacker logs in with the newly created credentials and has full administrative control over the WordPress installation.

A public proof of concept script written in Python has been available on Exploit-DB since October 2021. The script automates this entire flow and verifies success by checking for an empty string response from the server. If a Web Application Firewall is properly configured to block the request, the server returns a 403 Forbidden error instead.

The CVSS score for this vulnerability is 9.8 (Critical) according to Patchstack and WPScan. VulnCheck assigns a CVSS v4 score of 9.3. The critical rating reflects the fact that exploitation requires no authentication, no user interaction, and results in complete compromise of the WordPress installation.

Affected Systems and Versions

All versions of the WordPress TheCartPress plugin up to and including version 1.5.3.6 are affected. This is the final released version of the plugin. No patched version exists.

The plugin was permanently closed on the WordPress plugin repository on October 5, 2021. Despite this closure, Wordfence reports approximately 500 active installations remain. Any WordPress site still running TheCartPress in any version is vulnerable.

Vendor Security History

TheCartPress has a documented history of critical security vulnerabilities spanning nearly a decade:

Vulnerability TypePublished DateFixed VersionCVSS Score
Unauthenticated Admin Creation2021-10-05No known fix9.8
Multiple Vulnerabilities2015-04-291.3.9.37.5
Remote File Inclusion2014-08-011.1.2Not Available
Cross Site Scripting2011-12-311.1.6Not Available

This pattern of critical security issues, combined with the plugin's abandonment in 2017, culminated in the unpatched 2021 privilege escalation flaw that forced the plugin's permanent removal from the WordPress repository.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization