PatchSiren

TheCartPress CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL TheCartPress CVE published 2026-05-10

CVE-2021-47932

CVE-2021-47932 is a critical unauthenticated privilege-escalation issue affecting TheCartPress 1.5.3.6. Crafted POST requests to the tcp_register_and_login_ajax action can set tcp_role=administrator, allowing an attacker to create administrator accounts and gain full administrative access without credentials.