CVE-2026-5617

Name of the Vulnerable Software and Affected Versions Login as User plugin for WordPress versions prior to 1.0.4

Description An issue exists where the handle return to admin() function trusts a client-controlled cookie oclaup original admin to determine the user for authentication. Because there is no server-side verification to ensure the cookie was legitimately set during an admin-initiated user switch, authenticated attackers with Subscriber-level access or higher can escalate their privileges to administrator. This is achieved by setting the oclaup original admin cookie to an administrator's user ID and triggering the Return to Admin functionality.

Recommendations Update to a version later than 1.0.3.