Attack Chain

1. Attacker logs into the WordPress site with a low-privileged account (e.g., Subscriber).
2. Attacker identifies the email address of the target user (e.g., an Administrator).
3. Attacker crafts an HTTP POST request to the wp-admin/admin-ajax.php endpoint with the action parameter set to acb_firebase_auth.
4. The crafted POST request includes the user_email parameter set to the target user’s email address.
5. The firebase_auth() function in the Firebase Support & Chat Management plugin processes the request.
6. Due to the lack of email ownership verification, the function authenticates the attacker as the target user based solely on the user_email parameter.
7. The attacker is now logged in as the target user (e.g., an Administrator) and has access to all of their privileges.
8. The attacker can now perform administrative actions, such as creating new users, modifying site settings, or injecting malicious code, leading to complete compromise of the WordPress site.

Impact

Successful exploitation of this vulnerability (CVE-2026-8787) allows an attacker with minimal privileges (Subscriber) to gain complete control over a WordPress website. This can lead to data theft, website defacement, malware injection, and denial of service. Given that WordPress powers a significant percentage of websites globally, this privilege escalation vulnerability poses a substantial risk. The impact includes complete compromise of victim websites.

Recommendation

• Upgrade the Firebase Support & Chat Management plugin to a version greater than 3.1.1 to patch CVE-2026-8787.
• Deploy the Sigma rule “Detect CVE-2026-8787 Exploitation Attempt — WordPress Firebase Authentication Bypass” to detect potential exploitation attempts by monitoring for POST requests to admin-ajax.php with the acb_firebase_auth action and a user_email parameter.
• Enable web server logging to provide necessary data for the detection rules.