External risk intelligence

WordPress plugin lets attackers create admin accounts without login

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2021-47932

A WordPress plugin lets anyone create an administrator account on your website without logging in, giving them full control. This affects public-facing sites using the TheCartPress plugin and needs immediate attention.

4Halo Surface Signal

Privilege Escalation

External exposure likelihood

Halo Surface Signal score for CVE-2021-47932

The vulnerability affects a WordPress plugin designed to provide e-commerce functionality. WordPress sites are typically public-facing web applications, and the vulnerable AJAX registration handler is a web endpoint that is accessible to external users visiting the site.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in WordPress TheCartPress allows unauthenticated attackers to create administrator accounts. This is significant because it means an attacker could gain complete control of your WordPress site without needing any prior access.

  • It impacts WordPress sites using the plugin.
  • Attackers can take over your website.
  • No login is needed to exploit this.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending a specially crafted POST request to the vulnerable WordPress plugin's AJAX handler. This request would manipulate the `tcp_role` parameter to grant administrator privileges, effectively allowing the attacker to take full control of the website without needing any prior access.

  • Targets public-facing WordPress sites.
  • Exploits AJAX handler without authentication.
  • Requires setting `tcp_role` to administrator.

Live Threat

Current exploitation, exposure, and threat context

This unauthenticated privilege escalation in TheCartPress allows any unauthenticated attacker to create an administrator account. WordPress sites are common targets, and this vulnerability offers a direct path to full control without needing prior access or user interaction.

  • Public exploit available.
  • No KEV listing observed.
  • Recency signal: Published in 2021.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize containing TheCartPress instances that allow unauthenticated users to create administrator accounts. Actively monitor for any signs of new administrator accounts being created on your WordPress sites, as this vulnerability could allow attackers to gain full control. If exploitation is detected, immediately isolate affected services.

  • Block access to the registration handler.
  • Monitor for new admin accounts.
  • Disable TheCartPress plugin.

Frequently asked questions

What is TheCartPress plugin for WordPress and what does CVE-2021-47932 impact?

TheCartPress is a WordPress plugin that adds e-commerce capabilities to websites. CVE-2021-47932 specifically affects this plugin, allowing unauthenticated attackers to create administrator accounts on affected WordPress sites by exploiting a privilege escalation vulnerability.

What kind of weakness does CVE-2021-47932 describe and how is it triggered?

CVE-2021-47932 describes an unauthenticated privilege escalation vulnerability. This weakness is triggered when an attacker sends a specially crafted POST request to the plugin's AJAX handler, specifically manipulating the 'tcp_role' parameter to assign administrator privileges.

How can an attacker exploit CVE-2021-47932 to gain control of a WordPress site?

An attacker can exploit this vulnerability by sending a POST request to the TheCartPress plugin's AJAX handler with 'tcp_role' set to 'administrator'. This allows them to create a new administrator account without any prior authentication or access to the site, granting them full administrative control.

What is the relevance of CVE-2021-47932 affecting TheCartPress and its Halo Surface Signal score?

This vulnerability is relevant because it provides a direct path for unauthenticated attackers to gain complete control of a WordPress website, a common target. The Halo Surface Signal score of 4 (Likely) indicates that the vulnerability affects public-facing web applications, specifically a WordPress plugin's web endpoint accessible to external users.

What practical steps should be taken to address the CVE-2021-47932 vulnerability in TheCartPress?

To address this vulnerability, administrators should prioritize containing instances of TheCartPress that allow unauthenticated user registration. Actively monitor WordPress sites for any newly created administrator accounts and consider disabling the TheCartPress plugin if exploitation is suspected or confirmed.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified