WordPress Firebase Plugin Privilege Escalation via Email Spoofing

The Firebase Support & Chat Management plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.1.1. This is due to the `firebase_auth()` function authenticating the request as the WordPress user whose email is supplied in the `user_email` POST parameter without verifying ownership of that email (no Firebase ID token signature/issuer/audience verification). This makes it possible for authenticated attackers, with Subscriber-level access and above, to log in as an arbitrary existing user — including an Administrator — by submitting that user's email address to the `acb_firebase_auth` AJAX action, resulting in full account takeover.

Casky was already ahead

This CVE exploits attack patterns that Casky's 203matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

The Firebase Support & Chat Management plugin for WordPress versions up to 3.1.1 contains a critical privilege escalation vulnerability in its authentication mechanism. The `firebase_auth()` function accepts a user email address via POST parameter and authenticates requests as that user without verifying Firebase ID token signatures, issuers, or audience claims. This allows any authenticated subscriber-level user to impersonate administrative accounts by simply supplying a target user's email address, completely bypassing Firebase's cryptographic authentication layer. WordPress installations using this plugin are exposed to account takeover and unauthorized administrative access, affecting both small business sites and enterprise deployments relying on this chat management functionality.

Casky's skill library—powered by Claude's reasoning capabilities—maps this vulnerability to MITRE ATT&CK technique TA0004 (Privilege Escalation) and identifies 203 related detection patterns across authentication bypass, token manipulation, and lateral movement scenarios. Practitioners using Casky would see findings highlighting suspicious authentication requests lacking valid token validation, POST parameters containing high-value email addresses (admin@, root@), authentication logs showing subscriber accounts accessing admin-level resources, and inconsistencies between claimed identity and verified Firebase credentials. The platform's extended reasoning would correlate these indicators—email parameter injection patterns, missing cryptographic verification checks in logs, and privilege level mismatches—to surface this specific attack chain and recommend immediate token validation enforcement and authentication mechanism audits.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

203 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-8787.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-office365-audit-logs-for-compromise

cloud security · low

Run

MITRE ATT&CK Techniques

TA0004

Investigate the attack patterns behind CVE-2026-8787

Casky has 203 skills that investigate the attack patterns behind CVE-2026-8787. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn