PatchSiren cyber security CVE debrief
CVE-2026-6456 beycanpress CVE debrief
## Summary A privilege-escalation vulnerability in the WordPress Account Switcher plugin (≤1.0.2) allows any authenticated user (Subscriber+) to assume any other account—including Administrator—by sending an empty secret to the `rememberLogin` REST endpoint. The root cause is a loose comparison (`!=`) combined with missing non-empty checks on the `asSecret` user meta, causing `'' != ''` to evaluate as `false` and bypass authentication. All REST routes also use `permission_callback => '__return_true'`, removing capability checks entirely. ## Technical Analysis The vulnerability exists in `app/RestAPI.php:111` where the plugin validates a user-supplied `secret` parameter against the stored `asSecret` user meta: - **Loose comparison**: The code uses `!=` rather than `!==`, enabling type juggling. - **Empty secret bypass**: When a target user has never enabled “Remember me,” `get_user_meta()` returns an empty string. An attacker sending an empty `secret` parameter causes the comparison `'' != ''` to return `false`, which the logic treats as a successful match. - **Missing capability checks**: The REST route registration uses `permission_callback => '__return_true'` (see `app/PluginHero/BaseAPI.php:54`), allowing any authenticated WordPress user to invoke the endpoint. Upon successful “validation,” the endpoint calls `wp_set_auth_cookie()` for the target user ID, establishing an authenticated session as that user. ## Affected Versions - Account Switcher plugin for WordPress: all versions up to and including 1.0.2 ## CVSS 3.1 Assessment - **Score**: 8.8 (High) - **Vector**: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - **Rationale**: Network-accessible, low attack complexity, low privileges required (Subscriber), no user interaction, high impact to confidentiality, integrity, and availability. ## Recommended Actions 1. **Immediate**: Disable or remove the Account Switcher plugin until a patched version (>1.0.2) is available. 2. **Verification**: Audit WordPress user sessions and logs for unexpected account switches or privilege escalations. 3. **Update**: Apply the vendor patch as soon as released; verify the fix implements strict comparison (`===`) and en
- Vendor
- beycanpress
- Product
- Account Switcher
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators, security teams, and developers maintaining sites with the Account Switcher plugin installed.
Technical summary
The Account Switcher plugin's `rememberLogin` REST endpoint uses loose comparison (`!=`) for secret validation without checking for non-empty values. When target users lack an `asSecret` meta value (empty string), attackers can submit an empty `secret` parameter to bypass validation and invoke `wp_set_auth_cookie()` for arbitrary user IDs. All REST routes lack capability checks via `__return_true` permission callbacks.
Defensive priority
high
Recommended defensive actions
- Disable or remove the Account Switcher plugin until a patched version (>1.0.2) is available
- Audit WordPress user sessions and logs for unexpected account switches or privilege escalations
- Apply the vendor patch as soon as released; verify the fix implements strict comparison (`===`) and enforces capability checks on REST endpoints
- Review all installed plugins for similar patterns: loose comparisons in authentication logic and permissive REST API permission callbacks
Evidence notes
Vulnerability details sourced from Wordfence advisory and plugin source code review via WordPress.org Trac. CWE-287 (Improper Authentication) assigned by Wordfence.
Official resources
2026-05-20