📄 Description (English)
The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the `rememberLogin` REST API endpoint using a loose comparison (`!=` instead of `!==`) for secret validation at `app/RestAPI.php:111`, combined with no validation that the secret is non-empty. When a target user has never used the "Remember me" feature, their `asSecret` user meta does not exist, causing `get_user_meta()` to return an empty string. An attacker can send an empty `secret` parameter, which passes the comparison (`'' != ''` is `false`), and the endpoint then calls `wp_set_auth_cookie()` for the target user. Additionally, all REST routes use `permission_callback => '__return_true'` with no capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to switch to any user account including Administrator, ultimately granting themselves full administrative privileges.
🤖 AI Executive Summary
The Account Switcher WordPress plugin (versions ≤1.0.2) contains a critical privilege escalation vulnerability allowing authenticated subscribers to gain administrative access through loose type comparison in REST API authentication. An attacker can exploit the `rememberLogin` endpoint by sending an empty secret parameter, bypassing authentication checks and impersonating any user including administrators. This vulnerability poses an immediate threat to WordPress installations in Saudi Arabia, particularly those managing sensitive government, banking, and healthcare data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 21, 2026 17:06
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability directly impacts Saudi organizations using WordPress with the Account Switcher plugin, particularly: (1) Government agencies under NCA oversight managing citizen data and e-services; (2) SAMA-regulated financial institutions and fintech companies using WordPress for customer portals; (3) Healthcare providers under MOH compliance managing patient records; (4) Telecom operators (STC, Mobily, Zain) managing customer accounts; (5) Energy sector organizations managing operational technology interfaces. The privilege escalation allows complete system compromise, enabling data theft, unauthorized transactions, and regulatory violations under SAMA CSF and NCA ECC frameworks.
🏢 Affected Saudi Sectors
Government (NCA-regulated agencies, e-services platforms)
Banking & Financial Services (SAMA-regulated institutions, fintech)
Healthcare (MOH-regulated providers, patient data systems)
Telecommunications (STC, Mobily, Zain customer portals)
Energy (ARAMCO, utility management systems)
Education (university portals, student management systems)
E-commerce (Saudi online retailers using WordPress)
🎯 MITRE ATT&CK Techniques
T1078 - Valid Accounts: Attacker gains legitimate administrative account access
T1548 - Abuse Elevation Control Mechanism: Privilege escalation through weak authentication
T1110 - Brute Force: Potential for credential stuffing with empty secret parameter
T1190 - Exploit Public-Facing Application: REST API endpoint is publicly accessible
T1556 - Modify Authentication Process: Loose type comparison bypasses authentication logic
T1087 - Account Discovery: Attacker can enumerate and switch to any user account
T1098 - Account Manipulation: Unauthorized modification of user privileges
T1133 - External Remote Services: REST API accessible to authenticated subscribers
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using Account Switcher plugin via plugin audit and version inventory
2. Disable the Account Switcher plugin immediately: wp-cli plugin deactivate account-switcher
3. Remove the plugin entirely: wp-cli plugin delete account-switcher
4. Audit user accounts for unauthorized administrative access created after plugin installation
5. Review REST API access logs for suspicious `rememberLogin` endpoint calls
PATCHING GUIDANCE:
1. Monitor official plugin repository for security patch release
2. Do not re-enable plugin until version >1.0.2 is available with strict type comparison (===) and secret validation
3. If plugin functionality is critical, implement custom authentication layer with proper capability checks
COMPENSATING CONTROLS (if plugin re-activation required before patch):
1. Restrict REST API access via .htaccess: <FilesMatch "wp-json"> Require all denied </FilesMatch>
2. Implement Web Application Firewall (WAF) rules blocking POST requests to /wp-json/account-switcher/v1/rememberLogin
3. Enforce strong authentication: disable REST API for unauthenticated users, require 2FA for all administrative accounts
4. Implement role-based access control: restrict Subscriber role capabilities, audit user role assignments
5. Deploy intrusion detection: monitor for empty secret parameters in REST API logs
DETECTION RULES:
1. Monitor WordPress logs for REST API calls to account-switcher endpoints with empty or missing secret parameters
2. Alert on wp_set_auth_cookie() calls initiated from REST API context
3. Track user role changes from Subscriber to Administrator outside normal workflows
4. Monitor for multiple failed authentication attempts followed by successful privilege escalation
5. Log all REST API requests with permission_callback returning true without capability verification
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون Account Switcher من خلال تدقيق المكون وجرد الإصدار
2. تعطيل مكون Account Switcher فوراً: wp-cli plugin deactivate account-switcher
3. إزالة المكون بالكامل: wp-cli plugin delete account-switcher
4. تدقيق حسابات المستخدمين للوصول الإداري غير المصرح به الذي تم إنشاؤه بعد تثبيت المكون
5. مراجعة سجلات وصول REST API للاتصالات المريبة بنقطة نهاية rememberLogin
إرشادات التصحيح:
1. مراقبة مستودع المكون الرسمي لإصدار تصحيح أمني
2. عدم إعادة تفعيل المكون حتى يتوفر الإصدار >1.0.2 مع مقارنة نوع صارمة (===) والتحقق من السر
3. إذا كانت وظيفة المكون حرجة، قم بتنفيذ طبقة مصادقة مخصصة مع فحوصات القدرة المناسبة
الضوابط التعويضية:
1. تقييد وصول REST API عبر .htaccess: <FilesMatch "wp-json"> Require all denied </FilesMatch>
2. تنفيذ قواعد جدار الحماية (WAF) لحظر طلبات POST إلى /wp-json/account-switcher/v1/rememberLogin
3. فرض المصادقة القوية: تعطيل REST API للمستخدمين غير المصرحين، طلب المصادقة الثنائية لجميع الحسابات الإدارية
4. تنفيذ التحكم في الوصول القائم على الأدوار: تقييد قدرات دور المشترك، تدقيق تعيينات أدوار المستخدم
5. نشر كشف التطفل: مراقبة سجلات WordPress لاستدعاءات REST API بمعاملات سرية فارغة أو مفقودة
قواعد الكشف:
1. مراقبة سجلات WordPress لاستدعاءات REST API إلى نقاط نهاية account-switcher بمعاملات سرية فارغة أو مفقودة
2. تنبيه استدعاءات wp_set_auth_cookie() التي تم بدؤها من سياق REST API
3. تتبع تغييرات أدوار المستخدم من المشترك إلى المسؤول خارج سير العمل العادي
4. مراقبة محاولات المصادقة الفاشلة المتعددة متبوعة بتصعيد امتيازات ناجح
5. تسجيل جميع طلبات REST API مع permission_callback التي تعود صحيحة بدون التحقق من القدرة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy: Unauthorized privilege escalation violates access control principles
ECC 2024 A.6.1.2 - User Registration and Access Rights: Improper authentication mechanism allows unauthorized access
ECC 2024 A.7.1.1 - Information Security Roles and Responsibilities: Failure to implement proper API security controls
ECC 2024 A.9.2.1 - User Access Management: Weak authentication enables unauthorized administrative access
ECC 2024 A.12.2.1 - Restrictions on Access to Programs and Information: REST API lacks capability checks
🔵 SAMA CSF
SAMA CSF 1.1 - Governance: Inadequate security controls over critical systems
SAMA CSF 2.1 - Asset Management: Uncontrolled access to administrative functions
SAMA CSF 3.1 - Access Control: Weak authentication and authorization mechanisms
SAMA CSF 3.2 - Identification and Authentication: Loose type comparison bypasses authentication
SAMA CSF 4.1 - Cryptography: Improper secret validation and handling
SAMA CSF 5.1 - Incident Management: Privilege escalation enables unauthorized system modifications
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information Security Policies: Inadequate API security policy implementation
ISO 27001:2022 A.6.1 - Screening: Insufficient access control mechanisms
ISO 27001:2022 A.8.2 - Privileged Access Rights: Unauthorized privilege escalation
ISO 27001:2022 A.8.3 - Information Access Restriction: REST API lacks proper authorization
ISO 27001:2022 A.9.2 - User Access Management: Weak authentication enables unauthorized access
ISO 27001:2022 A.9.4 - Access Rights Review: Undetected unauthorized administrative access
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Default Security Parameters: Weak authentication mechanisms in place
PCI DSS 6.5.10 - Broken Authentication: Loose type comparison and missing secret validation
PCI DSS 7.1 - Access Control: Unauthorized privilege escalation to administrative level
PCI DSS 8.1 - User Identification: Improper user authentication and authorization
🔗 References & Sources 4
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/account-switcher/tags/1.0.2/app/PluginHero/B...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/account-switcher/tags/1.0.2/app/RestAPI.php#...
security@wordfence.com
https://wordpress.org/plugins/account-switcher/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/9e9cfb9b-6951-4246-9cd6-dd64f...
security@wordfence.com