Description
The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Published: 2025-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The Browse As plugin for WordPress, versions up to and including 0.2, contains an authentication bypass flaw caused by improper validation of the is_ba_original_user_COOKIEHASH cookie within the IS_BA_Browse_As::notice function. This flaw permits any user who can authenticate as a subscriber or higher to assume the identity of any other user on the same site if they know the target’s user ID. The result is unauthorized access to content and functions, potentially including administrative privileges, violating confidentiality and integrity.

Affected Systems

This vulnerability affects the Browse As plugin (author sorich87) installed on WordPress sites. All installations running version 0.2 or earlier are impacted; no later releases have been identified as vulnerable. Site administrators should verify the current plugin version, as the issue is tied to the plugin code rather than WordPress core.

Risk and Exploitability

The CVSS v3 score of 8.8 labels it as high severity, reflecting the heavy impact of impersonation. However, the EPSS score of less than 1% indicates that real‑world exploitation is currently unlikely, and the flaw is not listed in the CISA KEV catalog. The attack requires that the adversary already possess at least subscriber-level credentials on the target site; once authentic, they can manipulate the cookie to target any user ID, thereby bypassing all role‑based access controls.

Generated by OpenCVE AI on April 21, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Browse As plugin to the latest available release (currently 0.3 or later) or remove the plugin if it is not needed.
  • Restrict subscriber-level permissions to the minimum required for legitimate users, and revoke any unnecessary role privileges that might allow the use of the bypass.
  • Audit the site for any evidence of unauthorized account usage and consider resetting passwords for all accounts, especially administrators.
  • As a temporary measure, delete or block the is_ba_original_user_COOKIEHASH cookie from the browser to prevent the bypass if the plugin must remain installed.

Generated by OpenCVE AI on April 21, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16477 The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id.
History

Fri, 30 May 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 May 2025 11:30:00 +0000

Type Values Removed Values Added
Description The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Title Browse As <= 0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:32.803Z

Reserved: 2025-05-26T05:12:25.477Z

Link: CVE-2025-5190

cve-icon Vulnrichment

Updated: 2025-05-30T12:15:58.716Z

cve-icon NVD

Status : Deferred

Published: 2025-05-30T12:15:21.103

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-5190

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:45:25Z

Weaknesses