CVE-2026-6456
Description
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison (!= instead of !==) for secret validation at app/RestAPI.php:111, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their asSecret user meta does not exist, causing get_user_meta() to return an empty string. An attacker can send an empty secret parameter, which passes the comparison ('' != '' is false), and the endpoint then calls wp_set_auth_cookie() for the target user. Additionally, all REST routes use permission_callback => '__return_true' with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The Account Switcher plugin for WordPress (≤1.0.2) lets authenticated subscribers escalate to admin via a loose comparison and missing secret validation in its REST API.
Vulnerability
Analysis
The Account Switcher plugin for WordPress, closed since May 14, 2026, contains a privilege escalation vulnerability in versions up to and including 1.0.2 [1]. The root cause lies in the rememberLogin REST API endpoint defined in app/RestAPI.php:111. The endpoint validates a user's secret using a loose comparison (!=), and also fails to check that the secret is non-empty. When a target user has never used the "Remember me" feature, their asSecret user meta does not exist; get_user_meta() returns an empty string. An attacker can send an empty secret parameter, causing the comparison '' != '' to evaluate as false, which passes validation. The endpoint then executes wp_set_auth_cookie() for the target user, logging the attacker in as that user.
Exploitation
An authenticated attacker with at least Subscriber-level privileges can exploit this flaw. The plugin's REST routes all use permission_callback => '__return_true' with no additional capability checks. This means the attacker can switch to any user account on the WordPress site, including those with Administrator roles. No nonce or special privilege is required beyond the attacker's own authenticated session.
Impact
By switching to an Administrator account, the attacker gains full administrative access to the WordPress installation. This includes the ability to modify site content, install plugins, change user roles, and potentially execute arbitrary code. The vulnerability is critical because it allows a low-privileged user to completely take over the site.
Mitigation
The plugin was closed on the WordPress.org plugin directory on May 14, 2026, and is pending a full review [1]. Users should immediately remove or replace the plugin with a trusted alternative. As of this writing, no patched version has been released. The vendor, BeycanPress LLC, has not yet provided an update on the plugin's repository.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- plugins.trac.wordpress.org/browser/account-switcher/tags/1.0.2/app/PluginHero/BaseAPI.phpnvd
- plugins.trac.wordpress.org/browser/account-switcher/tags/1.0.2/app/RestAPI.phpnvd
- wordpress.org/plugins/account-switcher/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/9e9cfb9b-6951-4246-9cd6-dd64fee3a1bcnvd
News mentions
0No linked articles in our index yet.