This vulnerability allows unauthenticated attackers to gain full administrative access to vulnerable WordPress sites. Attackers can craft malicious POST requests to the plugin's AJAX handler to create new administrator accounts. No prior authentication is required to exploit this flaw.
Remediation
Update the TheCartPress plugin to a patched version immediately if one is available. If no patch exists, uninstall the plugin from all affected WordPress installations. Audit all user accounts to remove unauthorized administrator accounts created by attackers.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.