CVE-2026-5617 Overview
CVE-2026-5617 is a privilege escalation vulnerability in the Login as User plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw resides in the handle_return_to_admin() function, which trusts the client-controlled oclaup_original_admin cookie to determine which user to authenticate as. The plugin performs no server-side verification that the cookie was set during a legitimate admin-initiated user switch. Authenticated attackers with Subscriber-level access or higher can set the cookie to an administrator's user ID and trigger the "Return to Admin" functionality to seize administrator privileges. The weakness is classified as Authorization Bypass Through User-Controlled Key [CWE-639].
Critical Impact
A low-privileged Subscriber can escalate to full administrator on any WordPress site running the vulnerable plugin, leading to complete site takeover.
Affected Products
- Login as User plugin for WordPress (slug: one-click-login-as-user)
- All versions up to and including 1.0.3
- WordPress installations exposing subscriber or higher registration
Discovery Timeline
- 2026-04-15 - CVE-2026-5617 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5617
Vulnerability Analysis
The Login as User plugin provides administrators with a "switch user" capability and a corresponding "Return to Admin" function to revert the session back to the original administrator. To track the original administrator, the plugin sets a browser cookie named oclaup_original_admin containing the admin's user ID. When handle_return_to_admin() executes, it reads this cookie and calls WordPress authentication routines to re-authenticate as the user ID present in the cookie. No nonce, capability check, signed token, or server-side session record validates that the cookie was issued by the plugin during a legitimate switch operation. The relevant logic is visible in class-login-handler.php at lines 45 and 50 in the plugin source.
Root Cause
The root cause is improper authorization based on a user-controlled value [CWE-639]. The plugin treats the oclaup_original_admin cookie as authoritative identity material rather than untrusted client input. A signed value, transient stored server-side, or capability check tied to the current user would have prevented the issue.
Attack Vector
An attacker authenticates to the target WordPress site with any account at Subscriber level or higher. The attacker manually creates an oclaup_original_admin cookie containing the numeric user ID of an administrator account (commonly 1). The attacker then requests the URL that triggers handle_return_to_admin(). The plugin reads the forged cookie and re-authenticates the session as that administrator, granting full control of the site, including plugin installation, content modification, and arbitrary PHP execution through theme or plugin editors.
// No verified exploit code is available.
// See referenced plugin source for the vulnerable logic:
// class-login-handler.php lines 45 and 50
Detection Methods for CVE-2026-5617
Indicators of Compromise
- Presence of the oclaup_original_admin cookie in HTTP requests originating from non-administrator sessions.
- WordPress audit logs showing a Subscriber-level account performing administrator-only actions such as plugin installation or user role changes.
- Unexpected user_login events in wp_login hooks where the authenticating user did not submit credentials.
- New administrator accounts or modified wp_users / wp_usermeta rows following requests to the plugin's return-to-admin endpoint.
Detection Strategies
- Inspect web server and WAF logs for requests containing the oclaup_original_admin cookie paired with low-privileged session cookies.
- Correlate authentication events with originating IP addresses and user agents to identify session identity changes without a corresponding login form submission.
- Alert on any role transition from subscriber or contributor to administrator within a short time window.
Monitoring Recommendations
- Enable verbose logging of WordPress role and capability changes through an audit plugin or SIEM forwarding.
- Forward web access logs and WordPress application logs to a centralized data lake for retroactive hunting.
- Monitor for installation of new plugins, theme file edits, and creation of administrator accounts as downstream indicators of successful exploitation.
How to Mitigate CVE-2026-5617
Immediate Actions Required
- Deactivate and remove the Login as User plugin (one-click-login-as-user) until a patched version is released.
- Audit all WordPress user accounts and remove unauthorized administrators or recently elevated users.
- Force a password reset and session invalidation for all administrator accounts.
- Review installed plugins, themes, and wp-content/uploads for unauthorized PHP files.
Patch Information
No fixed version is listed in the NVD entry at the time of publication. All releases up to and including 1.0.3 remain vulnerable. Monitor the WordPress Plugin Overview page and the Wordfence Vulnerability Analysis for an updated release.
Workarounds
- Remove the plugin entirely from the wp-content/plugins/ directory rather than only deactivating it.
- Block requests containing the oclaup_original_admin cookie at the web application firewall or reverse proxy.
- Restrict new user registration and review the default role assigned to new accounts in WordPress settings.
- Apply IP allow-listing to wp-admin and wp-login.php to limit who can authenticate against the site.
# Remove the vulnerable plugin from the filesystem
wp plugin deactivate one-click-login-as-user
wp plugin delete one-click-login-as-user
# Optional: block the cookie at the nginx layer
# if ($http_cookie ~* "oclaup_original_admin") { return 403; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

