The Vulnerability in the WordPress Login as User plugin allows an attacker with existing authenticated access, at least at Subscriber level, to elevate their privileges to full administrative control. The flaw exists because the handle_return_to_admin() function trusts the client-supplied oclaup_original_admin cookie to select which user to authenticate as, without verifying that the cookie was set as a result of an authorized admin-initiated user switch. By setting the cookie value to the ID of an administrator, the attacker can trigger the Return to Admin feature and obtain administrator privileges. This is a classic authorization bypass and, if exploited, compromises confidentiality, integrity, and availability of the WordPress installation.

WordPress users who have installed the Login as User – Switch User & WooCommerce Login as Customer plugin by royalnavneet, versions 1.0.3 and earlier, are affected. The plugin is distributed through the official WordPress plugin repository and also available from the plugin's source. All installations that rely on the handle_return_to_admin() function to switch back to the admin after a user switch are vulnerable.

The flaw carries a CVSS score of 8.8, indicating high severity. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that widespread exploitation is not yet documented. The attack requires only that the attacker can authenticate as a regular user with Subscriber level or higher. The browser can be used to set the oclaup_original_admin cookie to an administrator’s user ID and then trigger the Return to Admin action. Because the cookie manipulation is client‑side and does not require admin credentials, this privilege escalation can be performed from a normal user context, making the risk significant for sites that grant Subscriber access to many users.