Compliance Impact

The vulnerability allows an attacker with Subscriber-level access to escalate privileges to Administrator by exploiting a flaw in the Account Switcher plugin's REST API secret validation. This unauthorized privilege escalation can lead to full administrative control over the WordPress site.

Such unauthorized access and privilege escalation could result in unauthorized access to sensitive personal data or protected health information, potentially violating data protection regulations such as GDPR and HIPAA.

Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations that require strict access controls and protection of sensitive data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the Account Switcher WordPress plugin's REST API endpoint 'rememberLogin' improperly validating a secret parameter, allowing privilege escalation. Detection involves identifying if the vulnerable plugin version (up to 1.0.2) is installed and monitoring for suspicious REST API calls to the 'rememberLogin' endpoint with empty or manipulated 'secret' parameters.

To detect this on your system, you can check the installed plugins and their versions using WP-CLI:

• wp plugin list | grep account-switcher

If the plugin is installed and version 1.0.2 or below, it is vulnerable. Additionally, you can monitor web server logs or use network monitoring tools to look for REST API requests to the 'rememberLogin' endpoint, especially those with empty or missing 'secret' parameters.

Example command to search web server logs for such requests (assuming Apache logs):

• grep "/wp-json/account-switcher/v1/rememberLogin" /var/log/apache2/access.log | grep "secret="

Look for requests where the 'secret' parameter is empty or missing, which could indicate exploitation attempts.

Useful 0 Not Useful 0

Executive Summary

The Account Switcher plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 1.0.2. This occurs because the `rememberLogin` REST API endpoint uses a loose comparison (`!=` instead of `!==`) to validate a secret, and it does not check if the secret is non-empty.

When a user has never used the "Remember me" feature, their secret value (`asSecret` user meta) does not exist, causing the system to treat it as an empty string. An attacker can exploit this by sending an empty secret parameter, which passes the loose comparison check, allowing the endpoint to authenticate as the target user.

Additionally, all REST routes in the plugin use a permission callback that always returns true, meaning there are no capability checks. This allows authenticated users with Subscriber-level access or higher to switch to any user account, including Administrator accounts, effectively granting themselves full administrative privileges.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated attacker with low-level access (Subscriber or above) to escalate their privileges to Administrator by switching to any user account without proper authorization.

As a result, the attacker can gain full administrative control over the WordPress site, which includes the ability to modify site content, change settings, install or remove plugins, and potentially compromise the entire website.

This can lead to data breaches, site defacement, loss of data integrity, and disruption of services.

Useful 0 Not Useful 0

Mitigation Strategies

The Account Switcher plugin for WordPress has been temporarily closed and is no longer available for download as of May 14, 2026, pending a full review.

As an immediate mitigation step, you should uninstall or deactivate the Account Switcher plugin if it is currently installed on your WordPress site to prevent exploitation of the privilege escalation vulnerability.

Monitor official sources for updates or a patched version of the plugin before considering reinstallation.

Useful 0 Not Useful 0