A critical privilege escalation flaw in the Account Switcher plugin for WordPress (CVE-2026-6456, CVSS 8.8) allows authenticated attackers with Subscriber-level access to gain full Administrator privileges on sites running versions up to 1.0.2, according to a security advisory published May 20, 2026. The vulnerability stems from loose comparison logic in the plugin's REST API endpoint combined with missing capability checks, creating a path for low-privilege users to hijack any account on affected installations.
TL;DR: CVE-2026-6456 enables Subscriber-level attackers to escalate to Administrator privileges on WordPress sites running Account Switcher plugin versions through 1.0.2 via an empty secret parameter exploit.
The vulnerability affects all Account Switcher plugin versions through 1.0.2. The advisory lists no patched version yet, leaving agencies with active deployments exposed until the vendor releases an update. For agencies managing white-label client portfolios, this represents an immediate audit priority: any site running the plugin grants potential attackers a straightforward path from the lowest authenticated role to complete site control.
How the Vulnerability Works
The flaw exploits two compounding weaknesses in the plugin's authentication flow. First, the rememberLogin REST API endpoint at app/RestAPI.php:111 uses a loose comparison operator (!= instead of !==) when validating secret tokens. Second, the endpoint performs no validation to confirm the secret parameter is non-empty.
When a target user has never enabled the "Remember me" feature during login, WordPress stores no asSecret user meta for that account. The get_user_meta() function returns an empty string in these cases. An attacker sending an empty secret parameter passes the loose comparison check (empty string does not loosely equal empty string evaluates to false), and the endpoint proceeds to call wp_set_auth_cookie() for the target user. The attacker's session receives authentication cookies for the hijacked account.
The advisory notes an additional exposure: all REST routes in the plugin use permission_callback => '__return_true' with no capability checks. This configuration accepts requests from any authenticated user, including Subscribers who typically hold no administrative permissions. The combination allows a Subscriber to target any user account, including Administrators, and log in as that user without knowing their password or secret token.
Impact on Agency Client Sites
The vulnerability carries a CVSS score of 8.8 (High) with an attack vector rated Network, Attack Complexity Low, Privileges Required Low, and User Interaction None. Translation: any authenticated user on an affected site can exploit this remotely without specialized conditions or victim interaction.
For agencies running white-label WordPress operations, the risk surfaces across the entire client base if the Account Switcher plugin appears in standard builds or client-requested feature sets. A successful exploit grants attackers full site control: the ability to modify content, install malicious plugins, extract customer data, or pivot to other sites on shared hosting environments. Plugin vulnerabilities remain the dominant WordPress compromise vector, making rapid identification and patching a core operations competency.
The advisory references Wordfence's threat intelligence database and links to the plugin's WordPress.org repository, where the code remains publicly visible. Agencies should assume exploit code will circulate quickly once security researchers analyze the disclosed details.
Immediate Action Items for Agencies
Agencies managing WordPress client portfolios should audit active installations for the Account Switcher plugin immediately. The plugin's WordPress.org page shows installation counts and version distribution; agencies can query their own client site inventories using WP-CLI commands or centralized management tools like MainWP, ManageWP, or InfiniteWP.
Sites confirmed to run Account Switcher versions through 1.0.2 face two options until a patched version ships: disable the plugin entirely or restrict REST API access at the server level via .htaccess or Nginx configuration rules. Disabling eliminates the attack surface but may break functionality if clients rely on account-switching features. REST API restrictions require careful scoping to avoid blocking legitimate integrations.
For sites where the plugin remains inactive or uninstalled, no action is required beyond standard vulnerability monitoring. Agencies should add CVE-2026-6456 to their internal tracking systems and watch for vendor updates. The plugin's update history shows version 1.0.2 as the most recent release; agencies can monitor the WordPress.org plugin repository or subscribe to security bulletins for patch announcements.
The Takeaway
CVE-2026-6456 exposes a straightforward privilege escalation path on WordPress sites running a relatively niche plugin, but the technical pattern (loose comparisons in REST endpoints, missing capability checks) appears frequently across the plugin ecosystem. Agencies that treat security patching as reactive noise rather than scheduled operations face compounding client risk as vulnerabilities like this accumulate across deployments. The vulnerability underscores the value of automated plugin inventory systems and defined patching SLAs: the difference between a same-day audit and a two-week discovery window is often the difference between a controlled maintenance window and a client compromise incident. Agencies should audit for Account Switcher installs today, establish a monitoring cadence for vendor patches, and document the escalation path if a client site shows signs of exploitation before updates ship.