ZeroPath at Black Hat USA 2026

Account Switcher for WordPress CVE-2026-6456: Brief Summary of a Privilege Escalation via REST API Authentication Bypass

A brief summary of CVE-2026-6456, a CVSS 8.8 authentication bypass in the Account Switcher WordPress plugin that allows any Subscriber to escalate to Administrator through a loose comparison flaw in the REST API secret validation.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Account Switcher for WordPress CVE-2026-6456: Brief Summary of a Privilege Escalation via REST API Authentication Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A loose PHP comparison operator and a missing empty value check in a WordPress plugin's REST API are all it takes for a Subscriber to become an Administrator. CVE-2026-6456 affects the Account Switcher plugin for WordPress, where a logic flaw in secret validation allows any low privilege authenticated user to impersonate any other user on the site, including full Administrators, without any user interaction.

The Account Switcher plugin, developed by BeycanPress LLC, provides WordPress administrators with the ability to quickly switch between user accounts for testing and management purposes. The plugin was published on the WordPress.org directory in March 2025. It is relevant here because its intended functionality (switching user contexts) makes the consequences of an authentication bypass particularly direct: the mechanism for switching accounts is itself the vulnerable surface.

Technical Information

The vulnerability in CVE-2026-6456 is the result of two independent coding failures that, when combined, form a complete authentication bypass chain. We will walk through each component and then describe the full attack flow.

Unrestricted REST API Routes

All REST routes registered by the Account Switcher plugin use the following permission callback configuration in app/PluginHero/BaseAPI.php:

permission_callback => '__return_true'

The __return_true function is a WordPress utility that simply returns true unconditionally. When used as a permission_callback, it means that WordPress performs no capability or role check before allowing a request to reach the endpoint handler. Any authenticated user, whether they hold a Subscriber, Contributor, Author, Editor, or Administrator role, can call any of the plugin's REST endpoints.

This is documented in the plugin source at BaseAPI.php line 54.

Loose Secret Validation in the rememberLogin Endpoint

The rememberLogin REST API endpoint, located at app/RestAPI.php:111, is responsible for validating a secret value before granting access to a target user account. The code uses the loose comparison operator != instead of the strict comparison operator !== to compare the submitted secret against the stored value. Additionally, the code does not validate that the submitted secret is non-empty.

This is documented in the plugin source at RestAPI.php line 111.

The Empty Meta Precondition

The exploit depends on a specific but commonly occurring condition. When a target user has never used the plugin's "Remember me" feature, their asSecret user meta key does not exist in the WordPress database. In WordPress, calling get_user_meta() for a nonexistent single meta key returns an empty string ('').

An attacker exploits this by sending a request to the rememberLogin endpoint with an empty secret parameter. The loose comparison then evaluates:

'' != ''

In PHP, this expression evaluates to false. Because the validation logic checks whether the secret does not match (using !=), a false result means the check passes, and the code proceeds as if the secret were valid.

Following this successful bypass, the endpoint calls wp_set_auth_cookie() for the target user, which generates a fully valid WordPress authentication cookie and delivers it to the attacker.

Full Attack Flow

  1. The attacker authenticates to the WordPress site with a Subscriber (or higher) account.
  2. The attacker identifies the user ID of a target Administrator. User IDs in WordPress are often predictable (the first admin account is typically user ID 1).
  3. The attacker sends a REST API request to the rememberLogin endpoint, supplying the target user ID and an empty secret parameter.
  4. The plugin retrieves the target user's asSecret meta value via get_user_meta(). Because the target has never used the "Remember me" feature, the function returns an empty string.
  5. The loose comparison '' != '' evaluates to false, and the secret validation passes.
  6. The endpoint calls wp_set_auth_cookie() for the target user ID, issuing a valid session cookie in the HTTP response.
  7. The attacker is now fully authenticated as the target Administrator, with complete control over the WordPress installation.

The following table summarizes the key evidence points in the exploit chain:

Evidence ItemFile LocationImpact
Unrestricted REST Routesapp/PluginHero/BaseAPI.phpAllows any authenticated user to access endpoints via __return_true
Loose Secret Validationapp/RestAPI.php:111Evaluates empty strings as valid when asSecret meta is missing
Authentication Cookie Generationapp/RestAPI.phpCalls wp_set_auth_cookie() to grant the attacker a valid session for the target account

The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting network accessibility, low attack complexity, low privilege requirements, no user interaction, and high impact across confidentiality, integrity, and availability.

Affected Systems and Versions

All versions of the Account Switcher plugin for WordPress up to and including version 1.0.2 are affected. Version 1.0.2 is the latest release. No patched version exists.

The vulnerability requires:

  • The Account Switcher plugin to be installed and active on the WordPress site.
  • The attacker to have an authenticated account with at least Subscriber level privileges.
  • The target user account to have never used the plugin's "Remember me" feature (meaning the asSecret user meta key does not exist for that user).

The WordPress plugin directory closed the Account Switcher plugin on May 14, 2026, pending a full review. The plugin is no longer available for download from the official repository.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization