[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7_kzS11JWK8z_Tu0weu3g21bH7rr_ZO-JaSFx9N20Xo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"source_links":31},"CVE-2026-5617","login-as-user-authenticated-subscriber-privilege-escalation-via-oclauporiginaladmin-cookie","Login as User \u003C= 1.0.3 - Authenticated (Subscriber+) Privilege Escalation via 'oclaup_original_admin' Cookie","The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the \"Return to Admin\" functionality.","one-click-login-as-user",null,"\u003C=1.0.1","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Authorization Bypass Through User-Controlled Key","2026-04-14 19:44:50","2026-04-15 07:45:30",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc0c74d48-6cfc-4899-bd2c-4a80b1f6e05f?source=api-prod",[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-5617 - Privilege Escalation in \"Login as User\"\n\n## 1. Vulnerability Summary\nThe **Login as User – Switch User & WooCommerce Login as Customer** plugin (version \u003C= 1.0.3) is vulnerable to privilege escalation. The plugin provides a \"Login as User\" feature for administrators. When an administrator switches to another user, the plugin stores the original administrator's ID in a client-side cookie named `oclaup_original_admin`. \n\nThe vulnerability exists in the `handle_return_to_admin()` function, which is responsible for switching the session back to the administrator. This function trusts the value of the `oclaup_original_admin` cookie without verifying that a legitimate user-switching session was ever initiated by an actual administrator. An attacker with Subscriber-level access can manually set this cookie to an administrator's ID and trigger the \"Return to Admin\" routine to gain full administrative access.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any WordPress URL (the function is likely hooked to `init` or `admin_init`).\n*   **Vulnerable Parameter:** `$_COOKIE['oclaup_original_admin']`\n*   **Trigger Parameter:** A GET parameter (inferred: `oclaup-return-to-admin` or similar) that invokes the return logic.\n*   **Authentication:** Required (Subscriber or higher).\n*   **Preconditions:** The attacker must know the User ID of an administrator (standard is `1`).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** The plugin registers a hook: \n    `add_action('init', 'handle_return_to_admin')` (inferred).\n2.  **Trigger Check:** `handle_return_to_admin()` checks if a specific GET parameter is present in the request (e.g., `$_GET['oclaup-return-to-admin']`).\n3.  **Vulnerable Sink:** If the trigger is present, the function:\n    *   Reads `$admin_id = $_COOKIE['oclaup_original_admin']`.\n    *   Calls `wp_set_current_user($admin_id)`.\n    *   Calls `wp_set_auth_cookie($admin_id)`.\n    *   Redirects the user to the WordPress dashboard (`admin_url()`).\n4.  **Failure Point:** There is no server-side check (e.g., a signed token or a database-backed session) to verify that the current user was actually switched *from* that administrator ID.\n\n## 4. Nonce Acquisition Strategy\nThe vulnerability description explicitly states the plugin \"trusts a client-controlled cookie ... without any server-side verification.\" This suggests that even if a nonce is used to generate the \"Return to Admin\" link in the UI, the back-end handler `handle_return_to_admin()` likely fails to validate it, or the nonce is not required for the transition.\n\n**If a nonce is required:**\n1.  **Identify Triggering Shortcode:** Check for shortcodes that render the \"Return to Admin\" bar.\n2.  **Page Creation:** `wp post create --post_type=page --post_status=publish --post_content='[one_click_login_as_user_return_bar]'` (inferred shortcode).\n3.  **Extraction:**\n    *   Navigate to the page as the Subscriber.\n    *   `browser_eval(\"window.oclaup_data?.return_nonce\")` (inferred JS variable).\n\n*Note: For this specific vulnerability, the exploit likely proceeds by simply providing the cookie and the trigger GET parameter.*\n\n## 5. Exploitation Strategy\nThe goal is to escalate from Subscriber to Administrator by spoofing the \"return\" process.\n\n### Step-by-Step Plan:\n1.  **Login:** Authenticate as a Subscriber user via `http_request`.\n2.  **Identify Admin ID:** Assume Admin ID is `1` (standard for the first user).\n3.  **Prepare Payload:**\n    *   **Cookie:** `oclaup_original_admin=1`\n    *   **GET Trigger:** `?oclaup-return-to-admin=1` (This parameter name is based on the plugin slug `one-click-login-as-user`).\n4.  **Execute Request:**\n    *   Send a GET request to the WordPress home page with the trigger parameter.\n    *   Include the Subscriber's session cookies AND the spoofed `oclaup_original_admin` cookie.\n5.  **Capture Redirect:** Follow the redirect or check the response headers for new `wordpress_logged_in_*` cookies that correspond to the Admin user.\n\n### Primary HTTP Request:\n```http\nGET \u002F?oclaup-return-to-admin=1 HTTP\u002F1.1\nHost: localhost:8080\nCookie: wordpress_logged_in_[HASH]=[Subscriber_Cookie]; oclaup_original_admin=1\n```\n\n## 6. Test Data Setup\n1.  **Users:**\n    *   Ensure an administrator exists (User ID 1).\n    *   Create a Subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`.\n2.  **Plugin Configuration:**\n    *   Activate the plugin: `wp plugin activate one-click-login-as-user`.\n    *   No specific settings are typically required to enable the \"return\" functionality as it is a core part of the user-switching flow.\n\n## 7. Expected Results\n*   The server should respond with a `302 Found` redirect to `\u002Fwp-admin\u002F`.\n*   The response headers (`Set-Cookie`) should contain new authentication cookies for User ID 1.\n*   The Subscriber's session is effectively replaced by an Administrator's session.\n\n## 8. Verification Steps\n1.  **Check Current User via CLI:** After the HTTP request, verify the session. Since CLI and HTTP sessions differ, verify by making a follow-up request to `\u002Fwp-admin\u002Findex.php` using the cookies received from the exploit.\n2.  **Verify Permissions:**\n    ```bash\n    # Use the captured admin cookies to try an admin-only action\n    # (Example: listing plugins via AJAX or visiting settings)\n    ```\n3.  **WP-CLI State Check:**\n    Check if any options were changed or if the attacker's account role was modified (though this exploit usually provides a session, not a permanent role change unless the attacker then uses the admin session to change their own role).\n\n## 9. Alternative Approaches\n*   **Trigger Parameter Guessing:** If `oclaup-return-to-admin` fails, search the plugin source (e.g., `grep -r \"_GET\" .`) for other parameters used in the `init` or `admin_init` hooks.\n*   **Cookie Name Variation:** If `oclaup_original_admin` is incorrect, check for variations like `oclaup_admin_id` or `switch_user_back`.\n*   **Role Change:** Once the Admin session is obtained, immediately use it to promote the Subscriber account to Administrator to ensure persistent access:\n    `POST \u002Fwp-admin\u002Fuser-edit.php` with `role=administrator`.","The Login as User plugin for WordPress is vulnerable to privilege escalation because it relies on a client-controlled cookie (oclaup_original_admin) to identify the administrator when reverting from a switched-user session. An authenticated attacker with basic permissions (Subscriber and above) can manually set this cookie to an administrator's ID and trigger the return mechanism to gain full administrative access.","\u002F\u002F Inferred from plugin logic within the handle_return_to_admin function\n\npublic function handle_return_to_admin() {\n    if ( isset( $_GET['oclaup-return-to-admin'] ) && isset( $_COOKIE['oclaup_original_admin'] ) ) {\n        $admin_id = intval( $_COOKIE['oclaup_original_admin'] );\n        \n        wp_set_current_user( $admin_id );\n        wp_set_auth_cookie( $admin_id );\n        \n        wp_safe_redirect( admin_url() );\n        exit;\n    }\n}","--- a\u002Fincludes\u002Fclass-login-as-user.php\n+++ b\u002Fincludes\u002Fclass-login-as-user.php\n@@ -10,6 +10,11 @@\n-    if ( isset( $_GET['oclaup-return-to-admin'] ) && isset( $_COOKIE['oclaup_original_admin'] ) ) {\n-        $admin_id = intval( $_COOKIE['oclaup_original_admin'] );\n+    if ( isset( $_GET['oclaup-return-to-admin'] ) && isset( $_COOKIE['oclaup_original_admin'] ) ) {\n+        if ( ! isset( $_GET['_wpnonce'] ) || ! wp_verify_nonce( $_GET['_wpnonce'], 'oclaup_return_admin' ) ) {\n+            wp_die( 'Security check failed' );\n+        }\n+        \n+        \u002F\u002F Verify the original admin ID is stored in a secure session or signed token\n+        $admin_id = intval( $_COOKIE['oclaup_original_admin'] );","The exploit involves spoofing the plugin's 'Return to Admin' functionality, which is intended to restore an administrator's session after they have finished 'impersonating' another user. \n\n1. Authenticate to the WordPress site as a user with Subscriber-level privileges.\n2. Identify the User ID of a target administrator (commonly ID 1).\n3. Prepare a request to any WordPress endpoint including a trigger GET parameter (e.g., `?oclaup-return-to-admin=1`).\n4. Include a manually set cookie in the request: `oclaup_original_admin=[Target_Admin_ID]`.\n5. The plugin's `handle_return_to_admin()` function, hooked to `init`, will detect the cookie and the GET parameter. Without server-side verification or nonce validation, it will authenticate the session as the user ID specified in the cookie.\n6. The attacker receives new authentication cookies (`wordpress_logged_in_*`) for the administrator account and is redirected to the dashboard.","gemini-3-flash-preview","2026-04-16 15:43:04","2026-04-16 15:43:23",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fone-click-login-as-user\u002Ftags"]