WP-Safety

WP User Switch Security & Risk Analysis

wordpress.org/plugins/wp-user-switch

WP User Switch is a very simple plugin which will help you to switch instantly between the user's account in a WordPress site.

1K active installs v1.1.2 PHP 5.6+ WP 5.0+ Updated Sep 16, 2025
switch-userswitching-accountuser-switchinguser-switchwp-user-switch
74
B · Generally Safe
CVEs total2
Unpatched1
Last CVEJul 9, 2024
Download
Safety Verdict

Is WP User Switch Safe to Use in 2026?

Mostly Safe

Score 74/100

WP User Switch is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Jul 9, 2024Updated 6mo ago
Risk Assessment

The "wp-user-switch" plugin, despite its static analysis showing a seemingly low attack surface and good practices in terms of prepared statements and output escaping, presents significant security concerns due to its historical vulnerability data. The plugin has a history of 2 known CVEs, with one remaining unpatched. These past vulnerabilities, specifically 'Missing Authorization' and 'Authentication Bypass Using an Alternate Path or Channel', are critical indicators of potential weaknesses that could be exploited again. The fact that these types of vulnerabilities have occurred previously suggests potential systemic issues in how user roles and permissions are handled within the plugin. While the code signals like nonce and capability checks are present, their effectiveness is undermined by the past exploits that bypassed them. Therefore, the presence of an unpatched high-severity vulnerability and the recurring nature of critical vulnerability types should be a major red flag for users.

Key Concerns

  • Unpatched high-severity CVE
  • History of critical vulnerability types
  • High percentage of properly escaped output
  • Presence of nonce checks
  • Presence of capability checks
Vulnerabilities
2

WP User Switch Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024 · unpatched
2024
Patched Has unpatched

Severity Breakdown

High
2

2 total CVEs

CVE-2024-37560high · 8.8Missing Authorization

WP User Switch <= 1.1.0 - Authenticated (Subscriber+) Privilege Escalation

Jul 9, 2024Unpatched
CVE-2023-2546high · 8.8Authentication Bypass Using an Alternate Path or Channel

WP User Switch <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass via Cookie

Jun 4, 2023 Patched in 1.0.3 (233d)
Code Analysis
Analyzed Mar 16, 2026

WP User Switch Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
31 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

89% escaped35 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
wpus_frontend_userswitch_list (inc\functions.php:68)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP User Switch Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 11
actionadmin_enqueue_scriptsinc\enqueue_scripts.php:10
actionwp_enqueue_scriptsinc\enqueue_scripts.php:31
actioninitinc\user-switch.php:22
actionadmin_page_access_deniedinc\user-switch.php:23
actionwp_logininc\user-switch.php:24
actionwp_logoutinc\user-switch.php:25
actionadmin_menuinc\user-switch.php:27
actionadmin_bar_menuinc\user-switch.php:28
actionwp_footerinc\user-switch.php:29
actionplugins_loadedwp-user-switch.php:60
actionupgrader_process_completewp-user-switch.php:69
Maintenance & Trust

WP User Switch Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedSep 16, 2025
PHP min version5.6
Downloads28K

Community Trust

Rating82/100
Number of ratings9
Active installs1K
Alternatives

WP User Switch Alternatives

Passe-partout, login as a different user

Passe-partout, login as a different user

passe-partout

A
100

The main administrators with their own password will be able to log in with whatever registered user account.

50 No CVEs
Login as User – Switch User & WooCommerce Login as Customer

Login as User – Switch User & WooCommerce Login as Customer

one-click-login-as-user

A
100

Login as User plugin allows administrators to login as user, login user without password, switch user accounts, and login as customer in WooCommerce i &hellip;

10 No CVEs
UserMorph – Instant User Switching & Account Impersonation for WordPress

UserMorph – Instant User Switching & Account Impersonation for WordPress

usermorph

A
100

Instant user-switching for WordPress. Morph into any account via a searchable admin bar menu securely and fast.

10 No CVEs
Switch User Login By Icegram

Switch User Login By Icegram

switch-user-login-by-icegram

A
100

User Switching Plugin allows administrators to quickly switch between user accounts in WordPress without logging

0 No CVEs
User Switching

User Switching

user-switching

A
100

Instant switching between user accounts in WordPress and WooCommerce.

200K No CVEs
Developer Profile

WP User Switch Developer Profile

iqbalrony

3 plugins · 1K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
233 days
View full developer profile
Detection Fingerprints

How We Detect WP User Switch

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-user-switch/assets/css/admin-main.css/wp-content/plugins/wp-user-switch/assets/css/main.css/wp-content/plugins/wp-user-switch/assets/js/main.js
Script Paths
/wp-content/plugins/wp-user-switch/assets/js/main.js
Version Parameters
wp-user-switch/assets/css/admin-main.css?ver=wp-user-switch/assets/css/main.css?ver=wp-user-switch/assets/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpus-user-login
Data Attributes
data-wpus-user-iddata-wpus-nonce
JS Globals
wpus_localize
FAQ

Frequently Asked Questions about WP User Switch