CVE-2026-8787

Name of the Vulnerable Software and Affected Versions Firebase Support & Chat Management plugin for WordPress versions prior to 3.1.2

Description An issue allows authenticated attackers with Subscriber-level access or higher to escalate privileges and achieve full account takeover. The firebase auth() function authenticates requests based on the email provided in the user email POST parameter without verifying the ownership of that email, as it fails to validate the Firebase ID token signature, issuer, or audience. By submitting a target user's email address to the acb firebase auth AJAX action, an attacker can log in as any existing user, including an Administrator.

Recommendations Update to a version later than 3.1.1. As a temporary workaround, restrict access to the acb firebase auth AJAX action or avoid using the user email parameter until the update is applied.