CVE-2022-4305

CRITICAL NUCLEI

WordPress Plugin <3.3 - Privilege Escalation

Title source: llm

Description

The Login as User or Customer WordPress plugin before 3.3 lacks authorization checks to ensure that users are allowed to log in as another one, which could allow unauthenticated attackers to obtain a valid admin session.

Nuclei Templates (1)

CRITICALVERIFIEDby r3Y3r53

Shodan: http.html:/wp-content/plugins/login-as-customer-or-user

FOFA: body=/wp-content/plugins/login-as-customer-or-user

References (1)

[Exploit, Third Party Advisory] https://wpscan.com/vulnerability/286d972d-7bda-455c-a226-fd9ce5f925bd

Scores

CVSS v3 9.8

EPSS 0.8305

EPSS Percentile 99.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

Status published

Products (1)

wp-buy/login_as_user_or_customer_\(user_switching\) < 3.3

Published Jan 23, 2023

Tracked Since Feb 18, 2026