{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/firebase-support--chat-management-plugin--3.1.1/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-8787"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Firebase Support \u0026 Chat Management plugin \u003c= 3.1.1"],"_cs_severities":["critical"],"_cs_tags":["privilege-escalation","wordpress","cloud","cve"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Firebase Support \u0026amp; Chat Management plugin for WordPress, in versions up to and including 3.1.1, is susceptible to a privilege escalation vulnerability (CVE-2026-8787). The vulnerability resides in the \u003ccode\u003efirebase_auth()\u003c/code\u003e function, which incorrectly authenticates requests based solely on the \u003ccode\u003euser_email\u003c/code\u003e POST parameter. The function fails to verify ownership of the email address by validating the Firebase ID token signature, issuer, or audience. This flaw allows an authenticated attacker, even with Subscriber-level access, to impersonate any existing user, including those with Administrator privileges, by sending a crafted request to the \u003ccode\u003eacb_firebase_auth\u003c/code\u003e AJAX action. This ultimately results in full account takeover of the targeted WordPress user.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker logs into the WordPress site with a low-privileged account (e.g., Subscriber).\u003c/li\u003e\n\u003cli\u003eAttacker identifies the email address of the target user (e.g., an Administrator).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an HTTP POST request to the \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e endpoint with the \u003ccode\u003eaction\u003c/code\u003e parameter set to \u003ccode\u003eacb_firebase_auth\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted POST request includes the \u003ccode\u003euser_email\u003c/code\u003e parameter set to the target user\u0026rsquo;s email address.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003efirebase_auth()\u003c/code\u003e function in the Firebase Support \u0026amp; Chat Management plugin processes the request.\u003c/li\u003e\n\u003cli\u003eDue to the lack of email ownership verification, the function authenticates the attacker as the target user based solely on the \u003ccode\u003euser_email\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker is now logged in as the target user (e.g., an Administrator) and has access to all of their privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform administrative actions, such as creating new users, modifying site settings, or injecting malicious code, leading to complete compromise of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-8787) allows an attacker with minimal privileges (Subscriber) to gain complete control over a WordPress website. This can lead to data theft, website defacement, malware injection, and denial of service. Given that WordPress powers a significant percentage of websites globally, this privilege escalation vulnerability poses a substantial risk. The impact includes complete compromise of victim websites.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Firebase Support \u0026amp; Chat Management plugin to a version greater than 3.1.1 to patch CVE-2026-8787.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-8787 Exploitation Attempt — WordPress Firebase Authentication Bypass\u0026rdquo; to detect potential exploitation attempts by monitoring for POST requests to \u003ccode\u003eadmin-ajax.php\u003c/code\u003e with the \u003ccode\u003eacb_firebase_auth\u003c/code\u003e action and a \u003ccode\u003euser_email\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to provide necessary data for the detection rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T07:18:15Z","date_published":"2026-05-27T07:18:15Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8787-wordpress-privesc/","summary":"The Firebase Support \u0026 Chat Management plugin for WordPress is vulnerable to privilege escalation (CVE-2026-8787) where an authenticated attacker with Subscriber-level access can log in as any existing user, including an Administrator, by submitting that user's email address to the `acb_firebase_auth` AJAX action without proper ownership verification, leading to full account takeover.","title":"CVE-2026-8787: WordPress Firebase Support \u0026 Chat Management Plugin Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-8787-wordpress-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Firebase Support \u0026 Chat Management Plugin \u003c= 3.1.1","version":"https://jsonfeed.org/version/1.1"}