Introduction
A loose PHP comparison operator and a missing empty value check in a WordPress plugin's REST API are all it takes for a Subscriber to become an Administrator. CVE-2026-6456 affects the Account Switcher plugin for WordPress, where a logic flaw in secret validation allows any low privilege authenticated user to impersonate any other user on the site, including full Administrators, without any user interaction.
The Account Switcher plugin, developed by BeycanPress LLC, provides WordPress administrators with the ability to quickly switch between user accounts for testing and management purposes. The plugin was published on the WordPress.org directory in March 2025. It is relevant here because its intended functionality (switching user contexts) makes the consequences of an authentication bypass particularly direct: the mechanism for switching accounts is itself the vulnerable surface.
Technical Information
The vulnerability in CVE-2026-6456 is the result of two independent coding failures that, when combined, form a complete authentication bypass chain. We will walk through each component and then describe the full attack flow.
Unrestricted REST API Routes
All REST routes registered by the Account Switcher plugin use the following permission callback configuration in app/PluginHero/BaseAPI.php:
permission_callback => '__return_true'
The __return_true function is a WordPress utility that simply returns true unconditionally. When used as a permission_callback, it means that WordPress performs no capability or role check before allowing a request to reach the endpoint handler. Any authenticated user, whether they hold a Subscriber, Contributor, Author, Editor, or Administrator role, can call any of the plugin's REST endpoints.
This is documented in the plugin source at BaseAPI.php line 54.
Loose Secret Validation in the rememberLogin Endpoint
The rememberLogin REST API endpoint, located at app/RestAPI.php:111, is responsible for validating a secret value before granting access to a target user account. The code uses the loose comparison operator != instead of the strict comparison operator !== to compare the submitted secret against the stored value. Additionally, the code does not validate that the submitted secret is non-empty.
This is documented in the plugin source at RestAPI.php line 111.
The Empty Meta Precondition
The exploit depends on a specific but commonly occurring condition. When a target user has never used the plugin's "Remember me" feature, their asSecret user meta key does not exist in the WordPress database. In WordPress, calling get_user_meta() for a nonexistent single meta key returns an empty string ('').
An attacker exploits this by sending a request to the rememberLogin endpoint with an empty secret parameter. The loose comparison then evaluates:
'' != ''
In PHP, this expression evaluates to false. Because the validation logic checks whether the secret does not match (using !=), a false result means the check passes, and the code proceeds as if the secret were valid.
Following this successful bypass, the endpoint calls wp_set_auth_cookie() for the target user, which generates a fully valid WordPress authentication cookie and delivers it to the attacker.
Full Attack Flow
- The attacker authenticates to the WordPress site with a Subscriber (or higher) account.
- The attacker identifies the user ID of a target Administrator. User IDs in WordPress are often predictable (the first admin account is typically user ID 1).
- The attacker sends a REST API request to the
rememberLoginendpoint, supplying the target user ID and an emptysecretparameter. - The plugin retrieves the target user's
asSecretmeta value viaget_user_meta(). Because the target has never used the "Remember me" feature, the function returns an empty string. - The loose comparison
'' != ''evaluates tofalse, and the secret validation passes. - The endpoint calls
wp_set_auth_cookie()for the target user ID, issuing a valid session cookie in the HTTP response. - The attacker is now fully authenticated as the target Administrator, with complete control over the WordPress installation.
The following table summarizes the key evidence points in the exploit chain:
| Evidence Item | File Location | Impact |
|---|---|---|
| Unrestricted REST Routes | app/PluginHero/BaseAPI.php | Allows any authenticated user to access endpoints via __return_true |
| Loose Secret Validation | app/RestAPI.php:111 | Evaluates empty strings as valid when asSecret meta is missing |
| Authentication Cookie Generation | app/RestAPI.php | Calls wp_set_auth_cookie() to grant the attacker a valid session for the target account |
The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, reflecting network accessibility, low attack complexity, low privilege requirements, no user interaction, and high impact across confidentiality, integrity, and availability.
Affected Systems and Versions
All versions of the Account Switcher plugin for WordPress up to and including version 1.0.2 are affected. Version 1.0.2 is the latest release. No patched version exists.
The vulnerability requires:
- The Account Switcher plugin to be installed and active on the WordPress site.
- The attacker to have an authenticated account with at least Subscriber level privileges.
- The target user account to have never used the plugin's "Remember me" feature (meaning the
asSecretuser meta key does not exist for that user).
The WordPress plugin directory closed the Account Switcher plugin on May 14, 2026, pending a full review. The plugin is no longer available for download from the official repository.
References
- Wordfence Vulnerability Advisory: Account Switcher <= 1.0.2 Authentication Bypass to Privilege Escalation
- NVD Entry for CVE-2026-6456
- CVE Record: CVE-2026-6456
- WordPress Plugin Directory: Account Switcher
- Plugin Source: RestAPI.php Line 111
- Plugin Source: BaseAPI.php Line 54
- BeycanPress LLC WordPress Profile



