CVE-2026-6456

WordPress · Account Switcher plugin

The Account Switcher plugin for WordPress is vulnerable to privilege escalation in all versions up to and including 1.

Executive summary

The Account Switcher plugin for WordPress is susceptible to a privilege escalation vulnerability that could allow unauthorized users to gain elevated administrative rights.

Vulnerability

The plugin contains a flaw enabling privilege escalation, which typically allows an authenticated user to gain higher-level permissions than intended. The vulnerability suggests a lack of sufficient access control checks within the plugin's core functions.

Business impact

A CVSS score of 8.8 indicates that this vulnerability is severe, as it facilitates unauthorized privilege escalation. This risk could allow an attacker to bypass standard security controls, potentially leading to a complete compromise of the WordPress environment and unauthorized access to user accounts.

Remediation

Immediate Action: Update the Account Switcher plugin to the latest version. If no update is available, deactivate and remove the plugin immediately.

Proactive Monitoring: Review the site’s user database for any unexpected account role changes or the creation of new administrator accounts.

Compensating Controls: Utilize a WAF to monitor for and block unauthorized attempts to execute functions associated with account management or role modification.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The urgency of this vulnerability is high due to the potential for total administrative compromise. Administrators are advised to apply the necessary updates immediately or remove the plugin to eliminate the attack vector entirely.