WordPress Account Switcher Plugin: Critical Privilege Escalation (CVE-2026-6456)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-287
WordPress Account Switcher Plugin: Critical Privilege Escalation (CVE-2026-6456)

The National Vulnerability Database (NVD) reports a critical privilege escalation vulnerability, CVE-2026-6456, in the Account Switcher plugin for WordPress, affecting all versions up to and including 1.0.2. This flaw allows authenticated attackers, even those with mere Subscriber-level access, to assume full administrative control over a WordPress site.

The vulnerability stems from a loose secret validation in the rememberLogin REST API endpoint and the absence of a non-empty secret check. When a target user has never utilized the “Remember me” feature, their asSecret user meta does not exist, causing get_user_meta() to return an empty string. An attacker can then send an empty secret parameter, which bypasses the comparison, leading to wp_set_auth_cookie() being called for the target user. Compounding this, all REST routes in the plugin use permission_callback => '__return_true', effectively nullifying any capability checks. This combination is a defender’s nightmare, allowing any low-privileged user to become an admin.

NVD assigns a CVSS score of 8.8 (HIGH) to CVE-2026-6456, underscoring the severity. The issue is categorized under CWE-287 (Improper Authentication). Given the widespread use of WordPress and the ease of exploitation, this vulnerability presents a significant risk to affected installations.

What This Means For You

  • If your organization uses the WordPress Account Switcher plugin, you need to act immediately. This isn't theoretical; it's a direct path to full site compromise from a low-privileged account. Audit your WordPress installations for this plugin and ensure it's either removed or updated to a patched version once available. Until then, consider disabling or restricting access to the plugin's functionality if feasible, and monitor for unusual administrative activity.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Sudo Caching Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control Privilege Escalation T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

WordPress Account Switcher Plugin Privilege Escalation via REST API - CVE-2026-6456

Sigma YAML — free preview 
title: WordPress Account Switcher Plugin Privilege Escalation via REST API - CVE-2026-6456
id: scw-2026-05-20-ai-1
status: experimental
level: critical
description: |
  Detects the exploitation of CVE-2026-6456, a critical privilege escalation vulnerability in the WordPress Account Switcher plugin. The rule specifically targets the 'rememberLogin' REST API endpoint when called with a 'secret=' parameter, which is indicative of an attacker attempting to exploit the loose comparison vulnerability to switch user accounts.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6456/
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-json/account-switcher/v1/rememberLogin'
      cs-method|exact:
          - 'POST'
      cs-uri-query|contains:
          - 'secret='
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6456 Privilege Escalation WordPress plugin: Account Switcher <= 1.0.2
CVE-2026-6456 Privilege Escalation Vulnerable REST API endpoint: `rememberLogin` in `app/RestAPI.php:111`
CVE-2026-6456 Privilege Escalation Weak secret validation using loose comparison (`!=`) and no empty secret check
CVE-2026-6456 Privilege Escalation REST routes use `permission_callback => '__return_true'` with no capability checks

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 20, 2026 at 05:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma