Executive Summary

The Login as User plugin for WordPress has a vulnerability that allows privilege escalation. This happens because the plugin's handle_return_to_admin() function trusts a client-controlled cookie named oclaup_original_admin to decide which user to authenticate as. There is no server-side verification to confirm that this cookie was legitimately set during an admin-initiated user switch.

As a result, an authenticated attacker with Subscriber-level access or higher can set this cookie to an administrator's user ID and use the "Return to Admin" feature to escalate their privileges to administrator.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with low-level access (Subscriber or above) to gain administrator privileges on a WordPress site using the Login as User plugin. This means the attacker could take full control of the site, including managing users, changing settings, installing or removing plugins, and accessing sensitive data.

Such unauthorized privilege escalation can lead to site defacement, data breaches, loss of data integrity, and disruption of services.

Useful 0 Not Useful 0

Mitigation Strategies

The Login as User plugin for WordPress has been temporarily closed and is unavailable for download pending a full review as of April 9, 2026.

To mitigate this vulnerability, immediately disable or uninstall the Login as User plugin (version 1.0.3 and earlier) from your WordPress site.

Ensure that only trusted users have Subscriber-level access or higher, as authenticated attackers with such access can exploit this vulnerability.

Monitor for updates or patches from the plugin maintainer before re-enabling the plugin.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access or higher to escalate their privileges to administrator by manipulating a client-controlled cookie without server-side verification.

Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and administrative functions, potentially violating data protection and privacy requirements under standards like GDPR and HIPAA.

Specifically, if an attacker gains administrator access, they could access, modify, or exfiltrate personal or protected health information, undermining confidentiality, integrity, and availability controls required by these regulations.

Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations that mandate strict access controls and protection of sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the manipulation of the client-controlled cookie named 'oclaup_original_admin' to escalate privileges in the Login as User WordPress plugin. Detection would involve monitoring for unusual or unauthorized use of this cookie, especially attempts to set it to an administrator's user ID by users with Subscriber-level access or above.

Since the vulnerability exploits the 'Return to Admin' functionality triggered by this cookie, one approach is to inspect HTTP requests to the WordPress site for the presence and values of the 'oclaup_original_admin' cookie.

Suggested commands to detect potential exploitation attempts include:

• Using command-line tools like curl or wget to check for the cookie in HTTP responses or requests.
• Example curl command to inspect cookies in requests or responses:
• curl -I -b "oclaup_original_admin=some_admin_user_id" https://yourwordpresssite.com
• Using web server logs or proxy logs to search for requests containing the 'oclaup_original_admin' cookie with suspicious values:
• grep 'oclaup_original_admin' /var/log/apache2/access.log
• Monitoring WordPress user activity logs for unexpected privilege escalations or 'Return to Admin' actions triggered by non-admin users.

Note: Specific detection commands or tools are not detailed in the provided resources, so these suggestions are based on the nature of the vulnerability described.

Useful 0 Not Useful 0