{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/account-switcher-plugin-for-wordpress--1.0.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-6456"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Account Switcher plugin for WordPress \u003c= 1.0.2"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","wordpress","cve","web-application"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Account Switcher plugin for WordPress, in versions up to and including 1.0.2, contains a privilege escalation vulnerability (CVE-2026-6456). The vulnerability resides within the \u003ccode\u003erememberLogin\u003c/code\u003e REST API endpoint at \u003ccode\u003eapp/RestAPI.php:111\u003c/code\u003e. It stems from the use of a loose comparison (\u003ccode\u003e!=\u003c/code\u003e) instead of a strict comparison (\u003ccode\u003e!==\u003c/code\u003e) for secret validation, combined with the absence of any validation to ensure that the secret is non-empty. This allows an authenticated attacker with Subscriber-level access or higher to elevate their privileges to that of any other user, including an Administrator, by sending an empty \u003ccode\u003esecret\u003c/code\u003e parameter. All REST routes also lack proper capability checks due to \u003ccode\u003epermission_callback =\u0026gt; '__return_true'\u003c/code\u003e, exacerbating the issue.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker with Subscriber-level access or higher authenticates to the WordPress site.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account to escalate privileges to (e.g., an Administrator account).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003erememberLogin\u003c/code\u003e REST API endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes an empty string for the \u003ccode\u003esecret\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe server-side code at \u003ccode\u003eapp/RestAPI.php:111\u003c/code\u003e performs a loose comparison (\u003ccode\u003e'' != ''\u003c/code\u003e), which evaluates to \u003ccode\u003efalse\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation, this \u003ccode\u003efalse\u003c/code\u003e result allows the execution to proceed, and \u003ccode\u003ewp_set_auth_cookie()\u003c/code\u003e is called with the target user\u0026rsquo;s ID.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s session is now authenticated as the target user, granting them the target user\u0026rsquo;s privileges, including Administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform any administrative action on the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-6456 allows any authenticated user with at least Subscriber privileges to gain full administrative control of the WordPress site. This can lead to complete compromise of the website, including data theft, defacement, malware injection, and denial of service. The CVSS v3.1 base score is 8.8, indicating a high severity vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by the plugin vendor to upgrade to a version greater than 1.0.2, which addresses CVE-2026-6456.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CVE-2026-6456 Exploitation Attempt\u003c/code\u003e to monitor for malicious requests to the \u003ccode\u003erememberLogin\u003c/code\u003e REST API endpoint with an empty secret parameter.\u003c/li\u003e\n\u003cli\u003eReview and audit all custom REST API endpoints in WordPress plugins to ensure proper authentication, authorization, and input validation are in place to prevent similar privilege escalation vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T02:19:04Z","date_published":"2026-05-20T02:19:04Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6456-wordpress-privesc/","summary":"The Account Switcher plugin for WordPress is vulnerable to privilege escalation (CVE-2026-6456) due to a loose comparison and lack of validation on the `rememberLogin` REST API endpoint, allowing authenticated attackers to gain administrator privileges.","title":"CVE-2026-6456 - WordPress Account Switcher Plugin Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6456-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Account Switcher Plugin for WordPress \u003c= 1.0.2","version":"https://jsonfeed.org/version/1.1"}