Wp-Buy: >> Login As User Or Customer (User Switching) Security Vulnerabilities
The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site.
CVSS Score
4.9
EPSS Score
0.003
Published
2024-03-11
The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.
CVSS Score
9.8
EPSS Score
0.89
Published
2023-01-23
Low privileged users can use the AJAX action 'cp_plugins_do_button_job_later_callback' in the Login as User or Customer (User Switching) WordPress plugin before 1.8, to install any plugin (including a specific version) from the WordPress repository, as well as activate arbitrary plugin from then blog, which helps attackers install vulnerable plugins and could lead to more critical vulnerabilities like RCE.
CVSS Score
8.8
EPSS Score
0.006
Published
2021-05-14