WP User Switch < 1.0.3 – Subscriber+ Authentication Bypass | CVE 2023-2546 | Plugin Vulnerabilities

Description

The plugin does not properly verify the 'wpus_who_switch' cookie value, which allows attackers with low-privilege accounts like Subscribers to bypass authentication and login as any other existing user.

Proof of Concept

Log-in as a subscriber onto the affected site.

Run the following JS script in your browser's console:
```
document.cookie = 'wpus_who_switch=simpleadmin'
```

Refresh the page, and notice you can now switch to any other user's account via the newly added "User Switch" toggle on the top WordPress Admin bar.

Affects Plugins

Fixed in 1.0.3

References

CVE

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Lana Codes

Verified

Yes

WPVDB ID

2ef5169d-d7ad-4269-8232-c38b39bb13d2

Timeline

Publicly Published

2023-06-04 (about 2 years ago)

Added

2023-06-06 (about 2 years ago)

Last Updated

2023-06-06 (about 2 years ago)

Other

Published

Title

Published

2023-05-24

Title

MStore API < 3.9.3 - Authentication Bypass

Published

2024-07-08

Title

WP2Speed Faster – Optimize PageSpeed Insights Score 90-100 <= 1.0.1 - Improper Authorization due to use of Hardcoded Credentials

Published

2025-04-30

Title

Digits < 8.4.6.1 - Auth Bypass via OTP Bruteforcing

Published

2024-07-10

Title

profile-builder < 3.11.9 - Unauthenticated Privilege Escalation

Published

2020-01-16

Title

WP Database Reset < 3.15 - Unauthenticated Database Reset