vulnerability

WordPress Plugin: kirki: CVE-2026-8206: Improper Privilege Management

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jun 1, 2026

Added

Jun 2, 2026

Modified

Jun 3, 2026

Description

The Kirki – Freeform Page Builder, Website Builder and Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Solution

kirki-plugin-cve-2026-8206

References

https://www.cve.org/CVERecord?id=CVE-2026-8206
https://www.wordfence.com/threat-intel/vulnerabilities/id/3b5630bd-5bce-4226-959f-5e81ae69b799?source=api-prod
https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-33881
CVE-2026-8206
https://attackerkb.com/topics/CVE-2026-8206
CWE-269
EUVD-EUVD-2026-33881

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report