CVE-2023-7247 – Login as User or Customer <= 3.8 - Admin Account Takeover

https://notcve.org/view.php?id=CVE-2023-7247

The Login as User or Customer WordPress plugin through 3.8 does not prevent users to log in as any other user on the site. El complemento Login as User or Customer de WordPress hasta la versión 3.8 no impide que los usuarios inicien sesión como cualquier otro usuario en el sitio. The Login as User or Customer plugin for WordPress is vulnerable to admin account compromise in version 3.8. This is due to the plugin not validating that the user switching back to the administrative account is the user who initiated the original login as another user. This makes it possible for unauthenticated attackers to access administrative user accounts when user switching is in progress by an administrator. • https://drive.google.com/file/d/1GCOzJ-ZovYij9GIdmsrZrR9g8mlC22hs/view?usp=sharing https://wpscan.com/vulnerability/96b93253-31d0-4184-94b7-f1e18355d841 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •