The plugin does not properly verify the ‘wpus_who_switch’ cookie value, which allows attackers with low-privilege accounts like Subscribers to bypass authentication and login as any other existing user.
Log-in as a subscriber onto the affected site. Run the following JS script in your browser’s console: document.cookie = 'wpus_who_switch=simpleadmin'
Refresh the page, and notice you can now switch to any other user’s account via the newly added “User Switch” toggle on the top WordPress Admin bar.
CPE | Name | Operator | Version |
---|---|---|---|
wp-user-switch | lt | 1.0.3 |