CVE-2026-6456

Summary

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison (!= instead of !==) for secret validation at app/RestAPI.php:111, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their asSecret user meta does not exist, causing get_user_meta() to return an empty string. An attacker can send an empty secret parameter, which passes the comparison ('' != '' is false), and the endpoint then calls wp_set_auth_cookie() for the target user. Additionally, all REST routes use permission_callback => '__return_true' with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.

Affected Software

VendorProductVersion RangeStatus
beycanpressAccount Switcher0 <= 1.0.2affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References