Skip to content
Threat Feed
critical advisory

CVE-2026-8787: WordPress Firebase Support & Chat Management Plugin Privilege Escalation

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8787) where an authenticated attacker with Subscriber-level access can log in as any existing user, including an Administrator, by submitting that user's email address to the `acb_firebase_auth` AJAX action without proper ownership verification, leading to full account takeover.

The Firebase Support & Chat Management plugin for WordPress, in versions up to and including 3.1.1, is susceptible to a privilege escalation vulnerability (CVE-2026-8787). The vulnerability resides in the firebase_auth() function, which incorrectly authenticates requests based solely on the user_email POST parameter. The function fails to verify ownership of the email address by validating the Firebase ID token signature, issuer, or audience. This flaw allows an authenticated attacker, even with Subscriber-level access, to impersonate any existing user, including those with Administrator privileges, by sending a crafted request to the acb_firebase_auth AJAX action. This ultimately results in full account takeover of the targeted WordPress user.

Attack Chain

  1. Attacker logs into the WordPress site with a low-privileged account (e.g., Subscriber).
  2. Attacker identifies the email address of the target user (e.g., an Administrator).
  3. Attacker crafts an HTTP POST request to the wp-admin/admin-ajax.php endpoint with the action parameter set to acb_firebase_auth.
  4. The crafted POST request includes the user_email parameter set to the target user’s email address.
  5. The firebase_auth() function in the Firebase Support & Chat Management plugin processes the request.
  6. Due to the lack of email ownership verification, the function authenticates the attacker as the target user based solely on the user_email parameter.
  7. The attacker is now logged in as the target user (e.g., an Administrator) and has access to all of their privileges.
  8. The attacker can now perform administrative actions, such as creating new users, modifying site settings, or injecting malicious code, leading to complete compromise of the WordPress site.

Impact

Successful exploitation of this vulnerability (CVE-2026-8787) allows an attacker with minimal privileges (Subscriber) to gain complete control over a WordPress website. This can lead to data theft, website defacement, malware injection, and denial of service. Given that WordPress powers a significant percentage of websites globally, this privilege escalation vulnerability poses a substantial risk. The impact includes complete compromise of victim websites.

Recommendation

  • Upgrade the Firebase Support & Chat Management plugin to a version greater than 3.1.1 to patch CVE-2026-8787.
  • Deploy the Sigma rule “Detect CVE-2026-8787 Exploitation Attempt — WordPress Firebase Authentication Bypass” to detect potential exploitation attempts by monitoring for POST requests to admin-ajax.php with the acb_firebase_auth action and a user_email parameter.
  • Enable web server logging to provide necessary data for the detection rules.

Detection coverage 2

Detect CVE-2026-8787 Exploitation Attempt — WordPress Firebase Authentication Bypass

critical

Detects CVE-2026-8787 exploitation attempt — An attacker is trying to exploit the authentication bypass in the Firebase Support & Chat Management Plugin. This rule detects POST requests to admin-ajax.php with the acb_firebase_auth action and a user_email parameter.

sigma tactics: privilege_escalation techniques: T1548 sources: webserver

Detect Potential CVE-2026-8787 Reconnaissance — WordPress Firebase Plugin

low

Detects reconnaissance activity targeting the WordPress Firebase Support & Chat Management plugin by monitoring requests to the `admin-ajax.php` endpoint.

sigma tactics: discovery techniques: T1595.002 sources: webserver

Detection queries are available on the platform. Get full rules →