Skip to main content

Account Switcher CVE-2026-6456

| EUVD-2026-31026 HIGH
Improper Authentication (CWE-287)
2026-05-20 Wordfence GHSA-wrmc-3xq2-8pf7
PHP WordPress Authentication Bypass Privilege Escalation
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 20, 2026 - 02:31 vuln.today

DescriptionNVD

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison (!= instead of !==) for secret validation at app/RestAPI.php:111, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their asSecret user meta does not exist, causing get_user_meta() to return an empty string. An attacker can send an empty secret parameter, which passes the comparison ('' != '' is false), and the endpoint then calls wp_set_auth_cookie() for the target user. Additionally, all REST routes use permission_callback => '__return_true' with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.

AnalysisAI

Privilege escalation in the BeycanPress Account Switcher WordPress plugin (versions up to and including 1.0.2) allows authenticated Subscriber-level users to hijack any account, including Administrator, by abusing a loose PHP comparison in the rememberLogin REST endpoint. No public exploit is identified at the time of analysis, but the issue is trivially reproducible from the disclosed root cause and the plugin source on WordPress.org is publicly indexable.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Disable the BeycanPress Account Switcher plugin on all WordPress installations and audit recent administrator account activity for unauthorized transitions. Within 7 days: Review alternative account management solutions and confirm no unauthorized account access occurred during plugin deployment. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-7862 HIGH POC
8.6 May 28

Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers t
CVE-2026-6960 CRITICAL
9.8 May 21

Unauthenticated arbitrary file upload in the BookingPress Pro WordPress plugin (versions ≤5.6) enables remote code execu
CVE-2026-8760 CRITICAL
9.8 May 27

Authentication bypass in the Login with OTP plugin for WordPress (all versions up to and including 1.6) lets unauthentic
CVE-2026-42727 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 'Active Products Tables for WooCommerce' WordPress plugin (versions up to and incl
CVE-2026-42761 CRITICAL
9.3 May 27

Blind SQL injection in the RealMag777 "Active Products Tables for WooCommerce" WordPress plugin (all versions up to and

Share

CVE-2026-6456 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy