WP-Safety

Login as User or Customer Security & Risk Analysis

wordpress.org/plugins/login-as-customer-or-user

This plugin allows you to quickly swap between user accounts in WordPress (in one click). This is very helpful for admins or customer support users to …

100 active installs v3.9.1 PHP 5.4+ WP 4.6+ Updated Mar 19, 2026
force-loginloginmessage-cartuser-switchingview-as-user
70
B · Generally Safe
CVEs total5
Unpatched1
Last CVEFeb 27, 2024
Download
Safety Verdict

Is Login as User or Customer Safe to Use in 2026?

Mostly Safe

Score 70/100

Login as User or Customer is generally safe to use. 5 past CVEs were resolved.

5 known CVEs 1 unpatched Last CVE: Feb 27, 2024Updated 2mo ago
Risk Assessment

The "login-as-customer-or-user" v3.9.1 plugin presents a mixed security posture. While the static analysis indicates a relatively small attack surface with no unprotected entry points and a strong adherence to prepared statements for SQL queries, the plugin's history is a significant concern. The presence of 5 known CVEs, with 2 critically severe and unpatched vulnerabilities, suggests a pattern of recurring security flaws. These historical issues, including authentication bypass, improper authentication/authorization, and CSRF, highlight potential weaknesses in how the plugin handles user access and session management. Despite the current static analysis showing no critical taint flows and good output escaping, the past vulnerability record indicates that these aspects may have been compromised in previous versions, and the current version might still harbor latent risks or be susceptible to similar attack vectors.

Key Concerns

  • Unpatched Critical Vulnerabilities
  • Significant Vulnerability History (5 CVEs)
  • High rate of Critical/High severity CVEs
  • Potential for previously exploited vulnerabilities
Vulnerabilities
5 published

Login as User or Customer Security Vulnerabilities

CVEs by Year

2 CVEs in 2021
2021
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024 · unpatched
2024
Patched Has unpatched

Severity Breakdown

Critical
2
High
3

5 total CVEs

CVE-2023-7247high · 8.1Authentication Bypass Using an Alternate Path or Channel

Login as User or Customer <= 3.8 - Unauthenticated Limited Admin Account Compromise

Feb 27, 2024Unpatched
CVE-2023-51484critical · 9.8Improper Authentication

Login as User or Customer (User Switching) <= 3.8 - Authentication Bypass

Dec 27, 2023 Patched in 3.9.1 (867d)
CVE-2022-4305critical · 9.8Improper Authorization

Login as User or Customer <= 3.2 - Privilege Escalation

Dec 27, 2022 Patched in 3.3 (392d)
WF-c873d838-58e8-4f69-bccb-6d1de8d91877-login-as-customer-or-userhigh · 8.8Cross-Site Request Forgery (CSRF)

Login as User or Customer <= 2.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation/Activation

Apr 22, 2021 Patched in 2.1 (1006d)
CVE-2021-24195high · 8.8Missing Authorization

Login as User or Customer < 1.8 - Missing Authorization to Arbitrary Plugin Installation/Activation

Apr 22, 2021 Patched in 1.8 (1006d)
Version History

Login as User or Customer Release Timeline

v3.9.1Current1 CVE
CVE-2023-7247
v3.82 CVEs
CVE-2023-7247 CVE-2023-51484
v3.72 CVEs
CVE-2023-7247 CVE-2023-51484
v3.62 CVEs
CVE-2023-7247 CVE-2023-51484
v3.52 CVEs
CVE-2023-7247 CVE-2023-51484
v3.32 CVEs
CVE-2023-7247 CVE-2023-51484
v3.23 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v3.13 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.93 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.83 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.73 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.63 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.53 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.43 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.33 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v2.23 CVEs
CVE-2023-7247 CVE-2023-51484 CVE-2022-4305
v1.65 CVEs
CVE-2023-7247 CVE-2023-51484 WF-c873d838-58e8-4f69-bccb-6d1de8d91877-login-as-customer-or-user +2 more
v1.35 CVEs
CVE-2023-7247 CVE-2023-51484 WF-c873d838-58e8-4f69-bccb-6d1de8d91877-login-as-customer-or-user +2 more
Code Analysis
Analyzed Apr 16, 2026

Login as User or Customer Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
17
73 escaped
Nonce Checks
4
Capability Checks
6
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

81% escaped90 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
my_action_javascript (admin/order-page.php:144)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Login as User or Customer Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_my_action_loginasadmin/order-page.php:14
authwp_ajax_loginas_return_admintemplate.php:11
WordPress Hooks 19
filtermanage_edit-shop_order_columnsadmin/order-page.php:11
actionmanage_shop_order_posts_custom_columnadmin/order-page.php:12
actionadmin_footeradmin/order-page.php:13
actionrestrict_manage_postsadmin/order-page.php:15
actionadd_meta_boxesadmin/order-page.php:16
actionadmin_menuadmin/setting.php:10
actionadmin_initadmin/setting.php:11
actionadmin_print_stylesadmin/setting.php:396
filtermanage_users_columnsadmin/users.php:9
filtermanage_users_custom_columnadmin/users.php:10
filteradmin_headadmin/users.php:11
actionplugins_loadedloginas.php:55
actioninitloginas.php:296
filterplugin_row_metaloginas.php:330
actionadmin_initnotification.php:162
actionwp_footertemplate.php:9
actionwp_enqueue_scriptstemplate.php:10
actionwp_logouttemplate.php:12
filtershow_admin_bartemplate.php:13
Maintenance & Trust

Login as User or Customer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 19, 2026
PHP min version5.4
Downloads13K

Community Trust

Rating60/100
Number of ratings13
Active installs100
Alternatives

Login as User or Customer Alternatives

Passe-partout, login as a different user

Passe-partout, login as a different user

passe-partout

A
100

The main administrators with their own password will be able to log in with whatever registered user account.

50 No CVEs
Force Login by Webline

Force Login by Webline

force-user-login-by-webline

A
92

This plugin provides a feature to make your site restricted and user is required to login to view protected pages.

40 No CVEs
dpabadbotwp

dpabadbotwp

dpabadbotwp

A
85

This plugin, dpaBadBotWP, automatically tells Bad Bot Exterminator firewall software, your current IP address and you will not be blocked from working &hellip;

10 No CVEs
Prevent Brute Force Login

Prevent Brute Force Login

ervan-limit-login

A
85

Limit the number of login attempts by ip address.

10 No CVEs
Login Mandatory Pages

Login Mandatory Pages

login-mandatory-pages

A
85

Login Mandatory pages is a WordPress plugin that allows you to make pages accessible for only logged in users.

10 No CVEs
Developer Profile

Login as User or Customer Developer Profile

wp-buy

15 plugins · 345K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
879 days
View full developer profile
Detection Fingerprints

How We Detect Login as User or Customer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/login-as-customer-or-user/assets/css/loginas.css/wp-content/plugins/login-as-customer-or-user/assets/js/loginas.js
Script Paths
/wp-content/plugins/login-as-customer-or-user/assets/js/loginas.js
Version Parameters
login-as-customer-or-user/assets/css/loginas.css?ver=login-as-customer-or-user/assets/js/loginas.js?ver=

HTML / DOM Fingerprints

CSS Classes
loginas_button
Data Attributes
data-loginas-user-id
JS Globals
loginas_vars
FAQ

Frequently Asked Questions about Login as User or Customer