cleantalk
Vulnerabilities and Security Researches

Admin Chat Box, CVE-2026-8787

CVE, Research URL

CVE-2026-8787

Home page URL

Security reports for Admin Chat Box

Application

Admin Chat Box

Published on
May 27, 2026
Research Description
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user — including an Administrator — by submitting that user's email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover.
Affected versions
max 3.1.1.
Status
vulnerable
Previous vulnerability researches
EventPrime – Events Calendar, Bookings and Tickets (CVE-2026-1655) , Apr 15, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2026-1657) , Apr 15, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2024-9864) , May 07, 2025
EventPrime – Events Calendar, Bookings and Tickets (CVE-2026-42686) , May 28, 2026
EventPrime – Events Calendar, Bookings and Tickets (CVE-2024-8369) , Sep 11, 2024
New vulnerability
Content Slideshow (CVE-2026-8873) , May 29, 2026
Islamic Database (CVE-2026-8845) , May 29, 2026
Easy Prism Syntax Highlighter (CVE-2026-8875) , May 29, 2026
GoStats for WordPress (CVE-2026-8943) , May 29, 2026
Admin Chat Box (CVE-2026-8787) , May 29, 2026