WordPress Plugin Vulnerabilities

Login as User or Customer (User Switching) <= 3.8 - Authentication Bypass

Description

The Login as User or Customer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.8. This makes it possible for unauthenticated attackers to login as another user and escalate their privileges.

Affects Plugins

Plugin icon
login-as-customer-or-user
No known fix

References

CVE
CVE-2023-51484
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b07ea6a-511d-44ab-b0b7-5124702ad47d

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
9782a3cd-2395-4b96-a203-eaa4e8d41d48

Timeline

Publicly Published
2023-12-27 (about 2 years ago)
Added
2024-01-05 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2018-11-27
Title
Woo Confirmation Email < 3.2.0 - Missing Access Controls to View Uploaded files
Published
2022-09-05
Title
OAuth client Single Sign On for WordPress < 3.0.4 - Unauthenticated Settings Update to Authentication Bypass
Published
2022-04-21
Title
WPQA < 5.2 - Subscriber+ Arbitrary Profile Picture Deletion via IDOR
Published
2026-02-23
Title
WeDesignTech Ultimate Booking Addon <= 1.0.1 - Authentication Bypass
Published
2025-04-24
Title
JobSearch WP Job Board <= 2.9.2 - Authentication Bypass via Social Logins