WordPress TheCartPress Privilege Escalation Vulnerability in AJAX Handler

A privilege escalation vulnerability has been identified in the WordPress plugin TheCartPress, specifically in version 1.5.3.6. This vulnerability allows unauthenticated attackers to create administrator accounts by sending crafted POST requests to the AJAX handler. The exploitation involves targeting the 'tcp_register_and_login_ajax' action and setting the 'tcp_role' parameter to 'administrator', thereby gaining full administrative access without any authentication.

Impact

Exploitation of this vulnerability allows for unauthorized users to gain administrative privileges on the WordPress site, enabling them to make significant changes, including modifying content, managing plugins and themes, and potentially compromising the entire site.

Reproduction

To reproduce this vulnerability, send a POST request to '/wp-admin/admin-ajax.php' with the action set to 'tcp_register_and_login_ajax'. Include the 'tcp_new_user_name', 'tcp_new_user_pass', 'tcp_repeat_user_pass', 'tcp_new_user_email', and 'tcp_role' parameters, with 'tcp_role' set to 'administrator'. If the request is successful, the response will indicate a successful insertion of the admin account.