CVE-2025-5190: 
WordPress vulnerability analysis and mitigation

The Browse As plugin for WordPress contains an authentication bypass vulnerability (CVE-2025-5190) affecting versions up to and including 0.2. The vulnerability was discovered and disclosed on May 30, 2025. The issue affects the authentication checking mechanism in the 'ISBABrowseAs::notice' function, specifically related to the 'isbaoriginaluser_COOKIEHASH' cookie value (NVD, Wiz).

The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from incorrect authentication checking in the plugin's notice function (NVD, Wordfence).

The vulnerability allows authenticated attackers with subscriber-level permissions or higher to log in as any existing user on the site, including administrators, provided they have access to the user ID. This effectively enables privilege escalation and unauthorized access to administrative functions (NVD).

Users running affected versions of the Browse As plugin (version 0.2 or earlier) should update to a patched version when available or consider removing the plugin until a fix is released (Wiz).