VYPR
High severity8.8NVD Advisory· Published May 20, 2026· Updated May 20, 2026

CVE-2026-6456

CVE-2026-6456

Description

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison (!= instead of !==) for secret validation at app/RestAPI.php:111, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their asSecret user meta does not exist, causing get_user_meta() to return an empty string. An attacker can send an empty secret parameter, which passes the comparison ('' != '' is false), and the endpoint then calls wp_set_auth_cookie() for the target user. Additionally, all REST routes use permission_callback => '__return_true' with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

1