CVE-2023-2546 in WP User Switch Plugin
Summary
by MITRE • 06/06/2023
The WP User Switch plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 1.0.2. This is due to incorrect authentication checking in the 'wpus_allow_user_to_admin_bar_menu' function with the 'wpus_who_switch' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the username.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2023-2546 affects the WP User Switch plugin for WordPress, a widely used tool that allows administrators to temporarily switch between user accounts for testing and debugging purposes. This particular flaw represents a critical authentication bypass vulnerability that undermines the fundamental security controls of WordPress installations. The vulnerability exists in plugin versions up to and including 1.0.2, making it a significant concern for WordPress site administrators who have not yet updated their installations. The flaw specifically resides in the wpus_allow_user_to_admin_bar_menu function where improper authentication checking occurs, creating a pathway for malicious actors to exploit the system's user switching functionality.
The technical implementation of this vulnerability stems from the incorrect handling of the wpus_who_switch cookie value within the authentication checking mechanism. When users switch between accounts using the plugin, the system should verify that the requesting user has proper authorization to perform such actions. However, the flawed implementation allows attackers to manipulate the cookie value in a way that circumvents these security checks. This particular weakness creates a scenario where an authenticated attacker with subscriber-level permissions or higher can leverage the plugin's functionality to impersonate any existing user account on the site, including administrators. The vulnerability is particularly dangerous because it does not require privileged access to the system itself, but rather exploits the legitimate plugin functionality to achieve unauthorized access.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating a comprehensive security risk for WordPress installations. An attacker with subscriber-level access can effectively bypass the standard WordPress permission model and gain administrative control over the entire site. This includes the ability to modify content, install malicious plugins, access sensitive data, and potentially compromise the entire WordPress installation. The vulnerability affects the core authentication framework of the plugin, meaning that even sites with proper user management practices become vulnerable. Organizations using WordPress with this plugin version face a significant risk of unauthorized access and potential data breaches, as the attack vector requires minimal privileges and can be executed through standard web browser interactions.
Mitigation strategies for CVE-2023-2546 should prioritize immediate plugin updates to versions that address the authentication bypass vulnerability. Site administrators must ensure they update to the latest version of the WP User Switch plugin where the authentication checking has been properly implemented. Additionally, implementing network-level protections such as web application firewalls and access controls can help detect and prevent exploitation attempts. The vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems, and demonstrates characteristics consistent with ATT&CK technique T1078.004 for valid accounts, as attackers exploit legitimate user account switching functionality rather than brute force attacks. Organizations should also conduct thorough security audits of their WordPress installations to identify any other potentially vulnerable plugins and ensure that all third-party components are kept up to date with security patches.