Attack Vectors

CVE-2026-5617 is a High-severity privilege escalation issue (CVSS 8.8) affecting Login as User – Switch User & WooCommerce Login as Customer (slug: one-click-login-as-user) in all versions up to and including 1.0.3. The attack requires an authenticated WordPress account with Subscriber-level access or higher, which can be obtained through normal user registration (if enabled), compromised credentials (password reuse/phishing), or an insider account.

Once logged in, an attacker can manipulate a specific browser cookie used by the plugin (oclaup_original_admin) to attempt to “return to admin” as a targeted administrator account. Because this can be executed remotely over the network and does not require user interaction, it can fit easily into automated account-takeover playbooks.

Reference: CVE-2026-5617 record and the source advisory from Wordfence.

Security Weakness

The core weakness is a trust boundary failure: the plugin’s handle_return_to_admin() logic relies on a client-controlled cookie (oclaup_original_admin) to decide which WordPress user to authenticate as, without server-side verification that the cookie was legitimately created during an administrator-initiated “switch user” workflow.

In business terms, this means the plugin can treat attacker-supplied browser data as proof of identity. When identity decisions can be influenced from the user’s device (rather than validated on the server), it creates a direct path to admin-level access.

Remediation status: Per the provided advisory details, there is no known patch available at this time. Organizations should apply mitigations based on risk tolerance; many will find it prudent to uninstall and replace the affected software.

Technical or Business Impacts

If exploited, an attacker could gain administrator privileges, which typically equals full control of the WordPress site. That level of access can enable changes to site content, plugin/theme installation, creation of new admin users, and persistence mechanisms that are difficult to detect quickly.

For marketing and revenue operations, the most common outcomes include website defacement, SEO spam injections, unauthorized redirects, and damage to brand trust. For organizations running WooCommerce, the impact can extend to customer and order data exposure, altered checkout experiences, fraudulent administrative actions, and disruption to sales operations.

For leadership and compliance teams, this creates material risk across confidentiality, integrity, and availability: potential data breach obligations, incident response costs, downtime, lost pipeline/revenue, and reputational harm. Because the prerequisite is only a low-privilege account, environments with open registration or large user bases should treat this as especially urgent.

Similar Attacks

Privilege escalation flaws in WordPress ecosystems are a recurring pattern, often stemming from missing authorization checks or trust in user-controlled input. Examples include:

CVE-2017-5487 (WordPress REST API privilege escalation)
CVE-2018-19207 (WP GDPR Compliance privilege escalation)