CVE-2021-47932 Wordpress CVE debrief

Who should care

WordPress site owners, administrators, and managed service providers running TheCartPress 1.5.3.6, especially on internet-facing sites and any environment that delegates plugin maintenance.

Technical summary

The supplied record describes an authorization failure in TheCartPress's AJAX registration/login handler. Because the endpoint accepts unauthenticated POST requests and honors a user-controlled role parameter, an attacker can submit a request that creates an administrator-level account. The supplied metadata classifies the weakness as CWE-862 and rates the issue Critical (CVSS 9.3).

Defensive priority

Immediate. This is a network-reachable, unauthenticated path to administrator access and should be treated as a site-compromise risk until the plugin is removed, disabled, or otherwise confirmed fixed.

Recommended defensive actions

• Inventory WordPress installations for TheCartPress 1.5.3.6.
• Disable or remove the plugin until a verified fix is available.
• Review administrator accounts and recent account-creation activity for unauthorized changes.
• Check web and application logs for POST requests to tcp_register_and_login_ajax and other suspicious registration activity.
• If compromise is suspected, rotate credentials and investigate for follow-on changes to users, plugins, themes, and content.

Evidence notes

The supplied source set includes the official CVE record, the NVD detail page, a WordPress plugin page for TheCartPress, a VulnCheck advisory, and an Exploit-DB listing. The metadata marks the vulnerability status as 'Received' and identifies CWE-862 as the primary weakness. No CISA KEV data was supplied.

Official resources