CVE-2026-6456

Name of the Vulnerable Software and Affected Versions Account Switcher versions prior to 1.0.3

Description The Account Switcher plugin for WordPress allows authenticated attackers with Subscriber-level access or higher to escalate privileges to any user account, including Administrator. This occurs because the 'rememberLogin' REST API endpoint uses a loose comparison for secret validation and fails to verify that the secret is non-empty. If a target user has not used the Remember me feature, the asSecret user meta is empty, allowing an attacker to provide an empty secret parameter to bypass validation and trigger wp set auth cookie() for the target user. Furthermore, all REST routes utilize permission callback => ' return true', which bypasses necessary capability checks.

Recommendations Update the plugin to a version later than 1.0.2. As a temporary workaround, restrict access to the 'rememberLogin' REST API endpoint to minimize the risk of exploitation.