{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5617", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-05T15:42:32.653Z", "datePublished": "2026-04-15T07:45:29.695Z", "dateUpdated": "2026-04-15T16:13:15.117Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T07:45:29.695Z"}, "affected": [{"vendor": "royalnavneet", "product": "Login as User \u2013 Switch User & WooCommerce Login as Customer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the \"Return to Admin\" functionality."}], "title": "Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0c74d48-6cfc-4899-bd2c-4a80b1f6e05f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/trunk/includes/class-login-handler.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L50"}, {"url": "https://wordpress.org/plugins/one-click-login-as-user/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "HA GIA BAO"}], "timeline": [{"time": "2026-04-14T19:44:50.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:32:27.091082Z", "id": "CVE-2026-5617", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T16:13:15.117Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5617", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-15T13:32:27.091082Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:32:31.709Z"}}], "cna": {"title": "Login as User <= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie", "credits": [{"lang": "en", "type": "finder", "value": "HA GIA BAO"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "royalnavneet", "product": "Login as User \u2013 Switch User & WooCommerce Login as Customer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-14T19:44:50.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0c74d48-6cfc-4899-bd2c-4a80b1f6e05f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/trunk/includes/class-login-handler.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L45"}, {"url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L50"}, {"url": "https://wordpress.org/plugins/one-click-login-as-user/"}], "descriptions": [{"lang": "en", "value": "The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the \"Return to Admin\" functionality."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-15T07:45:29.695Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5617", "state": "PUBLISHED", "dateUpdated": "2026-04-15T16:13:15.117Z", "dateReserved": "2026-04-05T15:42:32.653Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-15T07:45:29.695Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the \"Return to Admin\" functionality."}], "id": "CVE-2026-5617", "lastModified": "2026-04-22T20:23:16.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-15T09:16:33.210", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L45"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/tags/1.0.3/includes/class-login-handler.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/one-click-login-as-user/trunk/includes/class-login-handler.php#L45"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/one-click-login-as-user/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c0c74d48-6cfc-4899-bd2c-4a80b1f6e05f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.0.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Login as User \u2013 Switch User & WooCommerce Login as Customer", "source": "cna", "vendor": "royalnavneet"}, "product": "login_as_user_\u2013_switch_user_&_woocommerce_login_as_customer", "vendor": "royalnavneet"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T09:50:43.636841+00:00", "value": {"mitigation_remediation": ["Upgrade the Login as User plugin to the latest available version where the handle_return_to_admin() function validates the cookie against a server\u2011side session flag.", "If upgrading is not immediately possible, remove or deactivate the Login as User plugin until a patched version is available.", "Configure the WordPress site to block or clear the oclaup_original_admin cookie via server\u2011side rules such as .htaccess or a web\u2011application firewall to prevent client\u2011side manipulation."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "WordPress users who have installed the Login as User \u2013 Switch User & WooCommerce Login as Customer plugin by royalnavneet, versions 1.0.3 and earlier, are affected. The plugin is distributed through the official WordPress plugin repository and also available from the plugin's source. All installations that rely on the handle_return_to_admin() function to switch back to the admin after a user switch are vulnerable.", "description_and_impact": "The Vulnerability in the WordPress Login as User plugin allows an attacker with existing authenticated access, at least at Subscriber level, to elevate their privileges to full administrative control. The flaw exists because the handle_return_to_admin() function trusts the client-supplied oclaup_original_admin cookie to select which user to authenticate as, without verifying that the cookie was set as a result of an authorized admin-initiated user switch. By setting the cookie value to the ID of an administrator, the attacker can trigger the Return to Admin feature and obtain administrator privileges. This is a classic authorization bypass and, if exploited, compromises confidentiality, integrity, and availability of the WordPress installation.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.8, indicating high severity. No EPSS value is available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting that widespread exploitation is not yet documented. The attack requires only that the attacker can authenticate as a regular user with Subscriber level or higher. The browser can be used to set the oclaup_original_admin cookie to an administrator\u2019s user ID and then trigger the Return to Admin action. Because the cookie manipulation is client\u2011side and does not require admin credentials, this privilege escalation can be performed from a normal user context, making the risk significant for sites that grant Subscriber access to many users."}}}}, "created": "2026-04-15T13:49:14.866794+00:00", "updated": "2026-04-15T14:53:25.861726+00:00", "vendors": ["royalnavneet", "royalnavneet$PRODUCT$login_as_user_\u2013_switch_user_&_woocommerce_login_as_customer", "wordpress", "wordpress$PRODUCT$wordpress"]}