CVE-2025-5190

The Browse As plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 0.2. This is due to incorrect authentication checking in the 'IS_BA_Browse_As::notice' function with the 'is_ba_original_user_COOKIEHASH' cookie value. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator, if they have access to the user id.
Configurations

No configuration.

History

30 May 2025, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2025-05-30 12:15

Updated : 2025-05-30 16:31


NVD link : CVE-2025-5190

Mitre link : CVE-2025-5190

CVE.ORG link : CVE-2025-5190


JSON object : View

Products Affected

No product.

CWE
CWE-288

Authentication Bypass Using an Alternate Path or Channel