CVE-2026-8787

Vulnerability

The Firebase Support & Chat Management plugin for WordPress ("Admin Chat Box") is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. The firebase_auth() function, registered to handle the wp_ajax_acb_firebase_auth AJAX action, authenticates the request as the WordPress user whose email is supplied in the user_email POST parameter without verifying ownership of that email. No Firebase ID token signature, issuer, or audience verification is performed [1][2]. This means the function trusts the email value directly and logs the requester in as that user, regardless of whether the requester actually owns the email address.

Exploitation

An authenticated attacker with at least Subscriber-level access can craft a POST request to the acb_firebase_auth AJAX action, supplying the user_email parameter with the email address of any existing WordPress user, such as an Administrator. The plugin will process the request and log the attacker in as that user, effectively performing a session takeover. No additional authentication or token validation is required [1][2][3][4].

Impact

A successful attack results in complete account takeover of the targeted user. An attacker gaining Administrator privileges can fully compromise the WordPress site, including modifying content, installing plugins, changing user roles, and accessing sensitive data. The impact is high confidentiality, integrity, and availability loss.

Mitigation

As of the publication date, no official patch has been released; versions 3.1.1 and earlier remain vulnerable. Users should disable the plugin or restrict access to the vulnerable AJAX action until a fixed version is issued. The plugin has not been listed on CISA KEV at this time. Site administrators can also consider using a Web Application Firewall (WAF) rule to block requests to wp-admin/admin-ajax.php with the action acb_firebase_auth for non-admin users, but this workaround may break legitimate functionality.