CVE-2026-6456
Privilege Escalation in Account Switcher WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| beycanpress | account_switcher | to 1.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Account Switcher plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 1.0.2. This occurs because the `rememberLogin` REST API endpoint uses a loose comparison (`!=` instead of `!==`) to validate a secret, and it does not check if the secret is non-empty.
When a user has never used the "Remember me" feature, their secret value (`asSecret` user meta) does not exist, causing the system to treat it as an empty string. An attacker can exploit this by sending an empty secret parameter, which passes the loose comparison check, allowing the endpoint to authenticate as the target user.
Additionally, all REST routes in the plugin use a permission callback that always returns true, meaning there are no capability checks. This allows authenticated users with Subscriber-level access or higher to switch to any user account, including Administrator accounts, effectively granting themselves full administrative privileges.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with low-level access (Subscriber or above) to escalate their privileges to Administrator by switching to any user account without proper authorization.
As a result, the attacker can gain full administrative control over the WordPress site, which includes the ability to modify site content, change settings, install or remove plugins, and potentially compromise the entire website.
This can lead to data breaches, site defacement, loss of data integrity, and disruption of services.
What immediate steps should I take to mitigate this vulnerability?
The Account Switcher plugin for WordPress has been temporarily closed and is no longer available for download as of May 14, 2026, pending a full review.
As an immediate mitigation step, you should uninstall or deactivate the Account Switcher plugin if it is currently installed on your WordPress site to prevent exploitation of the privilege escalation vulnerability.
Monitor official sources for updates or a patched version of the plugin before considering reinstallation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker with Subscriber-level access to escalate privileges to Administrator by exploiting a flaw in the Account Switcher plugin's REST API secret validation. This unauthorized privilege escalation can lead to full administrative control over the WordPress site.
Such unauthorized access and privilege escalation could result in unauthorized access to sensitive personal data or protected health information, potentially violating data protection regulations such as GDPR and HIPAA.
Therefore, this vulnerability poses a significant risk to compliance with common standards and regulations that require strict access controls and protection of sensitive data.