CVE-2026-8787 Overview
CVE-2026-8787 is a privilege escalation vulnerability in the Firebase Support & Chat Management plugin for WordPress, affecting all versions up to and including 3.1.1. The flaw resides in the firebase_auth() function, which authenticates requests based solely on the user_email POST parameter. The plugin does not verify ownership of the supplied email through Firebase ID token signature, issuer, or audience checks. Authenticated attackers with Subscriber-level access can submit an Administrator's email to the acb_firebase_auth AJAX action and log in as that user. The vulnerability is categorized under [CWE-269: Improper Privilege Management].
Critical Impact
Subscriber-level attackers can take over Administrator accounts, gaining full control of the affected WordPress site.
Affected Products
- Firebase Support & Chat Management plugin for WordPress (admin-chat-box)
- All versions up to and including 3.1.1
- WordPress sites with the plugin installed and active
Discovery Timeline
- 2026-05-27 - CVE-2026-8787 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-8787
Vulnerability Analysis
The vulnerability stems from the firebase_auth() function in ACB_AjaxHandler.php, which handles the acb_firebase_auth AJAX action. The function trusts the user_email POST parameter as proof of identity. It locates the matching WordPress user record and authenticates the session as that user. No cryptographic verification of a Firebase ID token occurs at any point in the flow.
Firebase authentication is designed around signed ID tokens issued by Google. Server-side handlers must validate the token signature, the iss (issuer) claim, the aud (audience) claim, and confirm the email is verified within the token payload. The plugin omits all of these checks. As a result, the email parameter alone determines which WordPress account the request is treated as.
Because the AJAX endpoint requires only a valid WordPress nonce available to any authenticated user, Subscriber-level accounts meet the access requirement. Submitting an Administrator's email yields a full Administrator session.
Root Cause
The root cause is missing token verification in a federated authentication handler. The plugin treats client-supplied data as authoritative identity evidence. Without signature validation against Google's public keys, the server cannot prove that the requester controls the supplied email.
Attack Vector
An attacker registers or uses any existing Subscriber-level account on the target site. The attacker then sends a POST request to admin-ajax.php invoking the acb_firebase_auth action with the user_email parameter set to an Administrator's email address. The server issues authentication cookies for the targeted account, granting full administrative access including plugin installation and arbitrary PHP execution.
The vulnerable code paths can be reviewed in the WordPress Plugin Code Snippet at line 237 and the WordPress Plugin Code Snippet at line 338.
Detection Methods for CVE-2026-8787
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with action=acb_firebase_auth originating from low-privilege user sessions
- Authentication cookies issued for Administrator accounts immediately following an acb_firebase_auth request
- New Administrator accounts, plugin installations, or theme uploads following suspicious AJAX activity
- WordPress audit log entries showing Administrator logins without corresponding password reset or normal login events
Detection Strategies
- Inspect web server access logs for acb_firebase_auth action calls and correlate the requesting session user with the resulting authenticated user
- Monitor for session role changes within a single browser session, particularly Subscriber-to-Administrator transitions
- Deploy WordPress security plugins or web application firewall rules that flag requests to the acb_firebase_auth endpoint pending patch deployment
Monitoring Recommendations
- Enable WordPress activity logging to capture user role assignments, login events, and AJAX endpoint usage
- Forward WordPress and web server logs to a centralized SIEM for correlation across authentication events
- Alert on creation of new administrator-level users or modifications to the wp_users and wp_usermeta tables
How to Mitigate CVE-2026-8787
Immediate Actions Required
- Deactivate and remove the Firebase Support & Chat Management plugin until a patched version is available
- Audit all WordPress user accounts for unauthorized Administrator-level access and remove suspicious entries
- Force password resets for all Administrator accounts and invalidate active sessions
- Review recent plugin installations, theme uploads, and file modifications for signs of post-exploitation activity
Patch Information
At the time of publication, no patched version beyond 3.1.1 is referenced in the NVD entry. Site administrators should consult the Wordfence Vulnerability Report for current patch status and apply vendor updates as soon as they become available.
Workarounds
- Remove the plugin entirely from production WordPress installations until a fix is released
- Restrict access to /wp-admin/admin-ajax.php for the acb_firebase_auth action using web application firewall rules
- Disable open user registration to limit the pool of Subscriber-level accounts available for exploitation
- Apply principle of least privilege by reviewing and downgrading any unnecessary user roles
# Example WAF rule to block the vulnerable AJAX action
# ModSecurity rule example
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1026008787,msg:'Block CVE-2026-8787 acb_firebase_auth abuse'"
SecRule ARGS:action "@streq acb_firebase_auth"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
