CVE-2026-6456 - WordPress Account Switcher Plugin Privilege Escalation

The Account Switcher plugin for WordPress, in versions up to and including 1.0.2, contains a privilege escalation vulnerability (CVE-2026-6456). The vulnerability resides within the rememberLogin REST API endpoint at app/RestAPI.php:111. It stems from the use of a loose comparison (!=) instead of a strict comparison (!==) for secret validation, combined with the absence of any validation to ensure that the secret is non-empty. This allows an authenticated attacker with Subscriber-level access or higher to elevate their privileges to that of any other user, including an Administrator, by sending an empty secret parameter. All REST routes also lack proper capability checks due to permission_callback => '__return_true', exacerbating the issue.

Attack Chain

1. An attacker with Subscriber-level access or higher authenticates to the WordPress site.
2. The attacker identifies a target user account to escalate privileges to (e.g., an Administrator account).
3. The attacker crafts a malicious HTTP POST request to the rememberLogin REST API endpoint.
4. The request includes an empty string for the secret parameter.
5. The server-side code at app/RestAPI.php:111 performs a loose comparison ('' != ''), which evaluates to false.
6. Due to the lack of proper validation, this false result allows the execution to proceed, and wp_set_auth_cookie() is called with the target user’s ID.
7. The attacker’s session is now authenticated as the target user, granting them the target user’s privileges, including Administrator.
8. The attacker can now perform any administrative action on the WordPress site.

Impact

Successful exploitation of CVE-2026-6456 allows any authenticated user with at least Subscriber privileges to gain full administrative control of the WordPress site. This can lead to complete compromise of the website, including data theft, defacement, malware injection, and denial of service. The CVSS v3.1 base score is 8.8, indicating a high severity vulnerability.

Recommendation

• Apply the security patch released by the plugin vendor to upgrade to a version greater than 1.0.2, which addresses CVE-2026-6456.
• Deploy the Sigma rule Detect CVE-2026-6456 Exploitation Attempt to monitor for malicious requests to the rememberLogin REST API endpoint with an empty secret parameter.
• Review and audit all custom REST API endpoints in WordPress plugins to ensure proper authentication, authorization, and input validation are in place to prevent similar privilege escalation vulnerabilities.