CVE-2026-6456
WordPress · Account Switcher plugin
The Account Switcher plugin for WordPress is vulnerable to privilege escalation in all versions up to and including 1.
Executive summary
The Account Switcher plugin for WordPress is susceptible to a privilege escalation vulnerability that could allow unauthorized users to gain elevated administrative rights.
Vulnerability
The plugin contains a flaw enabling privilege escalation, which typically allows an authenticated user to gain higher-level permissions than intended. The vulnerability suggests a lack of sufficient access control checks within the plugin's core functions.
Business impact
A CVSS score of 8.8 indicates that this vulnerability is severe, as it facilitates unauthorized privilege escalation. This risk could allow an attacker to bypass standard security controls, potentially leading to a complete compromise of the WordPress environment and unauthorized access to user accounts.
Remediation
Immediate Action: Update the Account Switcher plugin to the latest version. If no update is available, deactivate and remove the plugin immediately.
Proactive Monitoring: Review the site’s user database for any unexpected account role changes or the creation of new administrator accounts.
Compensating Controls: Utilize a WAF to monitor for and block unauthorized attempts to execute functions associated with account management or role modification.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The urgency of this vulnerability is high due to the potential for total administrative compromise. Administrators are advised to apply the necessary updates immediately or remove the plugin to eliminate the attack vector entirely.