cleantalk
Vulnerabilities and Security Researches

Admin Chat Box, CVE-2026-8787

CVE, Research URL

CVE-2026-8787

Home page URL

Security reports for Admin Chat Box

Application

Admin Chat Box

Published on
May 27, 2026
Research Description
The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user — including an Administrator — by submitting that user's email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover.
Affected versions
max 3.1.1.
Status
vulnerable
Previous vulnerability researches
SlimStat Analytics (CVE-2025-14151) , Jan 27, 2026
SlimStat Analytics (CVE-2026-7634) , May 28, 2026
SlimStat Analytics (CVE-2015-1204) , Jun 07, 2024
SlimStat Analytics (CVE-2014-100027) , Jun 07, 2024
SlimStat Analytics (CVE-2019-15112) , Jun 07, 2024
New vulnerability
Content Slideshow (CVE-2026-8873) , May 29, 2026
Islamic Database (CVE-2026-8845) , May 29, 2026
Easy Prism Syntax Highlighter (CVE-2026-8875) , May 29, 2026
GoStats for WordPress (CVE-2026-8943) , May 29, 2026
Admin Chat Box (CVE-2026-8787) , May 29, 2026