CVE-2026-6456 Overview
CVE-2026-6456 is a privilege escalation vulnerability in the Account Switcher plugin for WordPress affecting all versions up to and including 1.0.2. The flaw resides in the rememberLogin REST API endpoint, which uses a loose comparison operator (!= instead of !==) when validating a user secret. Combined with missing capability checks on REST routes, an authenticated attacker with Subscriber-level access can switch into any account, including Administrator. The issue is classified under CWE-287: Improper Authentication.
Critical Impact
Authenticated Subscriber accounts can escalate to full Administrator privileges by sending an empty secret parameter to the plugin's REST endpoint, leading to complete WordPress site takeover.
Affected Products
- WordPress Account Switcher plugin versions up to and including 1.0.2
- WordPress sites with the plugin active and any target user who has never used the "Remember me" feature
- All WordPress installations exposing the plugin's REST API routes
Discovery Timeline
- 2026-05-20 - CVE-2026-6456 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-6456
Vulnerability Analysis
The Account Switcher plugin exposes a rememberLogin REST API endpoint intended to authenticate users who previously enabled the "Remember me" feature. At app/RestAPI.php:111, the endpoint compares a user-supplied secret parameter against the value stored in the asSecret user meta field. The comparison uses PHP's loose equality operator (!=), which performs type juggling rather than strict equality. When the target user has never used the remember-me feature, get_user_meta() returns an empty string. An attacker submitting an empty secret parameter satisfies the check because '' != '' evaluates to false, and the endpoint proceeds to call wp_set_auth_cookie() for the target user identifier.
Root Cause
Two design defects combine to enable exploitation. First, the secret validation logic uses loose comparison without verifying that the stored secret is non-empty, allowing empty-to-empty matches to authenticate as the target user. Second, every REST route in the plugin registers permission_callback => '__return_true', which disables WordPress's built-in capability enforcement on the endpoint.
Attack Vector
An authenticated attacker with Subscriber-level access or higher sends a crafted REST request to the rememberLogin endpoint specifying a target user ID and an empty secret parameter. Because no capability check exists and the loose comparison succeeds, the server issues an authentication cookie for the target user. Selecting an Administrator account as the target grants full administrative control over the WordPress site, including plugin and theme management, user creation, and content modification.
No verified public proof-of-concept code is available. See the Wordfence Vulnerability Report and the vulnerable source at RestAPI.php line 111 for technical details.
Detection Methods for CVE-2026-6456
Indicators of Compromise
- POST requests to WordPress REST routes registered by the Account Switcher plugin, particularly endpoints invoking rememberLogin, originating from Subscriber-level accounts
- Authentication cookie issuance for Administrator accounts without a corresponding successful wp-login.php flow
- Unexpected creation of new administrator users, plugin installations, or theme uploads following Subscriber session activity
Detection Strategies
- Inspect web server access logs for POST /wp-json/ requests targeting the account-switcher namespace with empty or missing secret parameters
- Correlate WordPress audit log events showing privilege changes or sensitive actions performed by accounts that recently authenticated via the plugin's REST endpoint
- Alert on session identifier transitions where a single browser fingerprint or IP address rapidly assumes multiple WordPress user contexts
Monitoring Recommendations
- Forward WordPress application logs and webserver access logs to a centralized analytics platform for query and retention
- Establish a baseline of normal REST API traffic for the plugin and alert on deviations such as unauthenticated user enumeration or repeated userId parameter changes
- Monitor for newly created administrator accounts and review the audit trail of any user that escalated privileges within a short time window
How to Mitigate CVE-2026-6456
Immediate Actions Required
- Deactivate and remove the Account Switcher plugin from any WordPress installation running version 1.0.2 or earlier until a patched release is available
- Audit the WordPress users table for unexpected Administrator accounts and reset credentials for all privileged users
- Review installed plugins, themes, and uploaded files for unauthorized modifications introduced after the plugin became active
Patch Information
No fixed version is referenced in the available advisory data at the time of publication. Monitor the Account Switcher plugin page and the Wordfence Vulnerability Report for updates and apply the vendor patch as soon as it is released.
Workarounds
- Block external access to the plugin's REST API routes at the web application firewall or reverse proxy layer until a fix is published
- Restrict the WordPress site to invitation-only registration and remove any unused Subscriber-level accounts to reduce the attacker pool
- Enforce multi-factor authentication on all Administrator accounts so that a stolen authentication cookie alone is insufficient for full takeover
# Example WAF rule concept: block REST requests to the vulnerable namespace
# until the plugin is patched or removed
location ~* /wp-json/account-switcher/ {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
