CVE-2026-8787
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory, and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the firebase_auth() function authenticating the request as the WordPress user whose email is supplied in the user_email POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user — including an Administrator — by submitting that user's email address to the acb_firebase_auth AJAX action, resulting in full account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=3.1.1
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/admin-chat-box/tags/3.1.1/inc/ACB_AjaxHandler.phpnvd
- plugins.trac.wordpress.org/browser/admin-chat-box/tags/3.1.1/inc/ACB_AjaxHandler.phpnvd
- plugins.trac.wordpress.org/browser/admin-chat-box/trunk/inc/ACB_AjaxHandler.phpnvd
- plugins.trac.wordpress.org/browser/admin-chat-box/trunk/inc/ACB_AjaxHandler.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/90783d75-a255-4133-ac7b-32e0a70c8c69nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (May 25, 2026 to May 31, 2026)Wordfence Blog · Jun 4, 2026