HIGH
beycanpress
CVE published 2026-05-20
CVE-2026-6456
## Summary A privilege-escalation vulnerability in the WordPress Account Switcher plugin (≤1.0.2) allows any authenticated user (Subscriber+) to assume any other account—including Administrator—by sending an empty secret to the `rememberLogin` REST endpoint. The root cause is a loose comparison (`!=`) combined with missing non-empty checks on the `asSecret` user meta, causing `'' != ''` to evaluate as `fa [truncated]