Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2021-47932: TheCartPress: Attackers Can Create Administrator Accounts
CVE-2021-47932
Summary
An attacker can create an administrator account on a TheCartPress site without needing a password, allowing them to make changes to the site. This is a serious security risk because an attacker could use this access to steal sensitive information or damage the site. To protect your site, update TheCartPress to the latest version.
Original title
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handl...
Original description
WordPress TheCartPress 1.5.3.6 contains an unauthenticated privilege escalation vulnerability that allows attackers to create administrator accounts by submitting crafted requests to the AJAX handler. Attackers can send POST requests to the tcp_register_and_login_ajax action with tcp_role set to administrator to gain full administrative access without authentication.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-862
Missing Authorization
Published: 10 May 2026 · Updated: 28 May 2026 · First seen: 10 May 2026