VYPR
High severity8.8NVD Advisory· Published May 27, 2026· Updated May 27, 2026No known patch

CVE-2026-8787

CVE-2026-8787

Description

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebase_auth() function authenticating the request as the WordPress user whose email is supplied in the user_email POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user — including an Administrator — by submitting that user's email address to the acb_firebase_auth AJAX action, resulting in full account takeover.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

1