Description
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`'' != ''` is `false`), and the endpoint then calls `wp_set_auth_cookie()` for the target user. Additionally, all REST routes use `permission_callback => '__return_true'` with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.
Published: 2026-05-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Account Switcher plugin for WordPress contains an authentication bypass in its rememberLogin REST endpoint. The comparison operator used for validating the secret is loose (!=) instead of strict (!==) and the plugin does not enforce that the secret is non‑empty. When a target user who has never used the "Remember me" feature is addressed, the asSecret user meta is empty, causing the comparison to evaluate incorrectly. The endpoint then calls wp_set_auth_cookie() for that user, allowing the attacker to assume the user’s identity. All REST routes expose the permission_callback => '__return_true', allowing any authenticated user with a Subscriber role or higher to trigger the abuse, which ultimately permits escalation to Administrator privileges.

Affected Systems

The vulnerability impacts all installations of the Account Switcher plugin from beycanpress that are running version 1.0.2 or older. It is present on any WordPress site that has this plugin installed and exposes its REST API endpoints.

Risk and Exploitability

The CVSS score of 8.8 reflects the high severity of this privilege escalation. EPSS data is not available and the issue is not listed in CISA’s KEV catalog. Exploitation requires only that the attacker have an authenticated account with Subscriber level access or higher—a common situation on many WordPress deployments. By sending a crafted REST request with an empty secret to the rememberLogin endpoint, an attacker can obtain a valid authentication cookie for any target user without further credentials. The lack of capability checks makes the attack trivial once authentication is achieved.

Generated by OpenCVE AI on May 20, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Account Switcher to the latest version available from the vendor, which removes the loose comparison and adds proper capability checks.
  • If an upgrade cannot be applied immediately, block or delete all REST routes supplied by the plugin—for example, by disabling the plugin or restricting the /wp-json/account-switcher/* URL via .htaccess or a security plugin that blocks the endpoint.
  • Implement role‑based access controls on the plugin’s REST endpoints so that only administrator accounts can execute them; alternatively, modify the permission_callback to verify administrator capability before allowing the endpoint to run.

Generated by OpenCVE AI on May 20, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Beycanpress
Beycanpress account Switcher
Wordpress
Wordpress wordpress
Vendors & Products Beycanpress
Beycanpress account Switcher
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`'' != ''` is `false`), and the endpoint then calls `wp_set_auth_cookie()` for the target user. Additionally, all REST routes use `permission_callback => '__return_true'` with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.
Title Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Beycanpress Account Switcher
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T17:17:37.504Z

Reserved: 2026-04-16T20:55:00.814Z

Link: CVE-2026-6456

cve-icon Vulnrichment

Updated: 2026-05-20T17:17:33.962Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:38.637

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-6456

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:38:23Z

Weaknesses