CVE-2026-8787
Deferred Deferred - Pending Action
Privilege Escalation in Firebase Support & Chat Management WordPress Plugin

Publication date: 2026-05-27

Last updated on: 2026-05-27

Assigner: Wordfence

Description
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user β€” including an Administrator β€” by submitting that user's email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-27
Generated
2026-06-16
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-8787
EUVD
EUVD-2026-32079
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
firebase firebase_support_and_chat_management_plugin to 3.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Firebase Support & Chat Management plugin for WordPress has a privilege escalation vulnerability in all versions up to and including 3.1.1. This occurs because the plugin's firebase_auth() function authenticates requests based solely on the email address provided in the user_email POST parameter, without verifying that the requester actually owns that email. Specifically, it lacks Firebase ID token signature, issuer, and audience verification.

As a result, an attacker who is already authenticated with at least Subscriber-level access can impersonate any existing user by submitting that user's email address to the acb_firebase_auth AJAX action. This can lead to full account takeover, including Administrator accounts.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers with minimal privileges (Subscriber-level or higher) to escalate their access to any user account, including administrators. This means an attacker can gain full control over the WordPress site by taking over high-privilege accounts.

The consequences include unauthorized access to sensitive data, modification or deletion of content, installation of malicious code, and disruption of site operations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8787. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart