โ† Back to Dashboard

CVE-2026-8787

HIGH NVD
CVSS Score
8.8
Severity
HIGH
Source
NVD
Published
May 27, 2026
Description

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user โ€” including an Administrator โ€” by submitting that user's email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover.

View Full Details โ† Back