CVE-2025-5190

Name of the Vulnerable Software and Affected Versions Browse As plugin for WordPress versions up to, and including, 0.2

Description The issue is due to incorrect authentication checking in the IS BA Browse As::notice function with the is ba original user COOKIEHASH cookie value. This allows authenticated attackers with subscriber-level permissions and above to log in as any existing user on the site, such as an administrator, if they have access to the user id.

Recommendations For versions up to, and including, 0.2, consider disabling the IS BA Browse As::notice function until a patch is available to prevent exploitation. Restrict access to sensitive user information, such as user id, to minimize the risk of unauthorized access.