WordPress Plugin Vulnerabilities

Login as User or Customer (User Switching) <= 3.8 - Authentication Bypass

Description

The Login as User or Customer plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.8. This makes it possible for unauthenticated attackers to login as another user and escalate their privileges.

Affects Plugins

Plugin icon
login-as-customer-or-user
No known fix

References

CVE
CVE-2023-51484
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5b07ea6a-511d-44ab-b0b7-5124702ad47d

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
9.8 (critical)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
9782a3cd-2395-4b96-a203-eaa4e8d41d48

Timeline

Publicly Published
2023-12-27 (about 4 months ago)
Added
2024-01-05 (about 4 months ago)
Last Updated
2024-01-22 (about 3 months ago)

Other

Published
Title
Published
2023-05-22
Title
MStore API < 3.9.2 - Authentication Bypass
Published
2019-08-12
Title
JVM WooCommerce Wishlist <= 1.2.6 - Insecure Direct Object Reference
Published
2014-09-17
Title
WordPress 3.4.2 - 3.9.2 Does Not Invalidate Sessions Upon Logout
Published
2019-03-17
Title
Easy WP SMTP <= 1.3.9 - Unauthenticated Arbitrary wp_options Import
Published
2021-07-21
Title
SendGrid <= 1.11.8 - Authenticated Authorization Bypass