The Browse As plugin for WordPress, developed by sorich87, suffers from an authentication bypass vulnerability identified as CVE-2025-5190. This vulnerability is classified under CWE-288, which involves authentication bypass using an alternate path or channel. The root cause lies in the improper validation of the is_ba_original_user_COOKIEHASH cookie within the IS_BA_Browse_As::notice function. This cookie is intended to verify the identity of the original user, but due to flawed logic, an attacker with authenticated access at subscriber level or above can manipulate this cookie and specify any user ID to impersonate that user. This includes high-privilege accounts such as administrators. The vulnerability affects all versions of the plugin up to and including 0.2. Exploitation requires only low privileges and no user interaction, and can be performed remotely over the network. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and privileges required. No patches or official fixes have been released yet, and no known exploits are currently in the wild. However, the potential for privilege escalation and full site compromise is significant, making this a critical issue for WordPress sites using this plugin.

If exploited, this vulnerability allows an attacker with minimal authenticated access to escalate privileges by impersonating any user on the WordPress site, including administrators. This can lead to complete site takeover, unauthorized content modification, data theft, installation of backdoors or malware, and disruption of site availability. The breach of administrator accounts undermines the entire security posture of the affected site, potentially exposing sensitive user data and enabling further lateral movement within the hosting environment. For organizations relying on WordPress for business operations, this could result in reputational damage, regulatory penalties, and financial losses. The ease of exploitation combined with the broad impact on confidentiality, integrity, and availability makes this a critical threat to any site running the vulnerable plugin.

Until an official patch is released, organizations should immediately restrict access to the Browse As plugin by disabling it or removing it from their WordPress installations. Review and tighten user permissions to limit subscriber-level accounts and above to trusted users only. Implement monitoring to detect unusual user ID access patterns or cookie manipulations related to is_ba_original_user_COOKIEHASH. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting this vulnerability. Regularly audit WordPress plugins and maintain an inventory to quickly identify vulnerable components. Once a patch is available, apply it promptly and verify the fix. Additionally, consider implementing multi-factor authentication (MFA) for administrative accounts to reduce the risk of account compromise. Backup site data frequently to enable recovery in case of successful exploitation.