CVE-2026-5617
Published: 15 April 2026
Summary
CVE-2026-5617 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for access, directly preventing privilege escalation by requiring server-side verification instead of trusting the client-controlled oclaup_original_admin cookie.
SI-10 requires validation of information inputs like the oclaup_original_admin cookie, addressing the lack of server-side checks that allowed attackers to forge admin user IDs.
AC-6 enforces least privilege, limiting the impact of escalation attempts by ensuring privilege switches in plugins like Login as User grant only necessary access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a privilege escalation flaw allowing authenticated low-privileged users to gain administrator access by abusing an improperly validated client-controlled cookie in the user switch functionality.
NVD Description
The Login as User plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the handle_return_to_admin() function trusting a client-controlled cookie (oclaup_original_admin) to determine which user to authenticate as, without…
more
any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to administrator by setting the oclaup_original_admin cookie to an administrator's user ID and triggering the "Return to Admin" functionality.
Deeper analysisAI
CVE-2026-5617 is a privilege escalation vulnerability (CWE-639) in the Login as User plugin for WordPress, affecting all versions up to and including 1.0.3. The flaw exists in the handle_return_to_admin() function, which trusts a client-controlled cookie named oclaup_original_admin to determine which user to authenticate as, without any server-side verification that the cookie value was legitimately set during an admin-initiated user switch. Published on 2026-04-15, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability by setting the oclaup_original_admin cookie to an administrator's user ID and then triggering the "Return to Admin" functionality, allowing them to escalate their privileges to administrator level.
Advisories and references, including Wordfence threat intelligence and the plugin's WordPress.org page, detail the issue, with source code excerpts from version 1.0.3 and the trunk available in the WordPress plugin trac repository pointing to lines 45 and 50 in class-login-handler.php. Security practitioners should consult these resources for update guidance, as versions beyond 1.0.3 may address the flaw.
Details
- CWE(s)