CVE-2026-6456 HIGH

CVE-2026-6456: Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation

Vendor Beycanpress
Product Account Switcher
Weakness CWE-287 · Improper authentication
Published May 20, 2026
Last update May 20, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`'' != ''` is `false`), and the endpoint then calls `wp_set_auth_cookie()` for the target user. Additionally, all REST routes use `permission_callback => '__return_true'` with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.

Explanation of Vulnerability in Simple Terms

02Summary

Account Switcher versions 1.0.2 and earlier contain an authentication flaw that allows low-privileged users to gain unauthorized access to sensitive data and modify site content. The vulnerability requires a valid user account but no additional user interaction. Attackers can read confidential information, alter data, or disrupt service availability.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, and disrupt service availability with a low-privilege user account.

Potential impact on your site

04Site Impact

Unauthorized users can access confidential information, alter content, and cause service disruption on your site.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account; no user interaction required.

Key dates

06Disclosure timeline

May 20, 2026 CVE published
May 20, 2026 Record updated