Description
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.
Published: 2026-05-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation flaw that allows any web visitor to create new administrator accounts by submitting crafted POST requests to the tcp_register_and_login_ajax AJAX handler. The attack bypasses authentication checks and grants full administrative privileges, enabling complete control over the WordPress site. This failure of authorization (CWE-862) exposes the entire installation to compromise.

Affected Systems

The vulnerability affects the TheCartPress plugin version 1.5.3.6 used on WordPress sites. Only installations running that specific version are vulnerable until they receive a patch or update.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, reflecting a critical severity. Its EPSS score is not provided, and it is not listed in the CISA KEV catalog. The attack does not require prior authentication or valuable access; it simply delivers a crafted POST to the exposed AJAX endpoint tcp_register_and_login_ajax. If the site is publicly accessible, an outside attacker can immediately exploit it, making the risk highly actionable. This straightforward, unauthenticated path, coupled with the high CVSS, indicates that sites should prioritize remediation.

Generated by OpenCVE AI on May 10, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update TheCartPress to the latest version that removes the privilege escalation flaw.
  • If a patch is not yet available, block unauthenticated POST requests to the tcp_register_and_login_ajax endpoint, or disable the plugin entirely to prevent the action from executing.
  • Implement monitoring of the /ajax/tcp_register_and_login_ajax endpoint to detect and block suspicious requests, and consider restricting the endpoint to authenticated users only via web server configuration.

Generated by OpenCVE AI on May 10, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Thecartpress
Thecartpress thecartpress
Wordpress
Wordpress wordpress
Vendors & Products Thecartpress
Thecartpress thecartpress
Wordpress
Wordpress wordpress

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.
Title WordPress TheCartPress 1.5.3.6 Privilege Escalation Unauthenticated
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Thecartpress Thecartpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:52.728Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47932

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:29.427

Modified: 2026-05-10T13:16:29.427

Link: CVE-2021-47932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T14:45:14Z

Weaknesses