PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8787 devsabbirahmed CVE debrief

The Firebase Support & Chat Management plugin for WordPress is vulnerable to authentication bypass and privilege escalation in all versions up to and including 3.1.1. The vulnerability exists in the `firebase_auth()` function, which authenticates requests based solely on a user-supplied `user_email` POST parameter without verifying Firebase ID token signatures, issuer claims, or audience validation. This allows any authenticated WordPress user with Subscriber-level access or higher to impersonate arbitrary existing users—including Administrators—by submitting the target user's email address to the `acb_firebase_auth` AJAX action. The flaw represents a critical authentication logic error where the plugin trusts client-provided identity assertions without cryptographic verification against Firebase's authentication service. The vulnerability was disclosed on May 27, 2026, with source code references pointing to the ACB_AjaxHandler.php file in both the tagged 3.1.1 release and trunk development branch.

Vendor
devsabbirahmed
Product
Firebase Support & Chat Management
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using the Firebase Support & Chat Management plugin; security teams responsible for WordPress application security; managed service providers hosting WordPress environments; compliance officers tracking authentication control failures

Technical summary

The `firebase_auth()` function in ACB_AjaxHandler.php accepts a `user_email` parameter from POST requests and authenticates the session as that WordPress user without validating Firebase ID token cryptographic signatures or standard JWT claims (iss, aud, exp). The `acb_firebase_auth` AJAX action is accessible to authenticated users with Subscriber role or higher, enabling horizontal and vertical privilege escalation to any arbitrary user account including Administrators. The vulnerability affects all plugin versions through 3.1.1.

Defensive priority

critical

Recommended defensive actions

  • Immediately update the Firebase Support & Chat Management plugin to a version beyond 3.1.1 if a patched release becomes available
  • If no patch is available, consider disabling or removing the plugin until a fix is released
  • Implement Web Application Firewall (WAF) rules to block or log requests to the `acb_firebase_auth` AJAX action with suspicious patterns
  • Review WordPress user accounts for unauthorized Administrator-level access that may have been established through this vulnerability
  • Audit authentication logs for anomalous login patterns involving email-based authentication bypass
  • Apply principle of least privilege by reviewing and minimizing Subscriber-level accounts that could serve as attack vectors
  • Consider implementing additional authentication hardening plugins that enforce multi-factor authentication for administrative accounts

Evidence notes

Vulnerability confirmed through WordPress Plugin Trac source code analysis at lines 237 and 338 of ACB_AjaxHandler.php in both version 3.1.1 and trunk branches. Wordfence threat intelligence provides additional technical context. CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-269 (Improper Privilege Management) classified as primary weakness.

Official resources

2026-05-27