Critical Privilege Escalation in Kirki WordPress Plugin (CVE‑2026‑8206) Enables Admin Account Hijack
What It Is – A newly disclosed privilege‑escalation flaw (CVE‑2026‑8206) in the Kirki – Freeform Page Builder & Customizer WordPress plugin allows an unauthenticated attacker to generate a password‑reset link for any user and have it delivered to an attacker‑controlled email address.
Exploitability – Active exploitation is confirmed; Wordfence blocked >222 attempts in the last 24 hours. Public PoC code has been shared on security forums. CVSS v3.1 base score: 9.8 (Critical).
Affected Products – Kirki plugin versions 6.0.0 through 6.0.6 (≈40 % of the plugin’s install base, >500 k sites).
TPRM Impact – Third‑party websites that embed Kirki become a vector for credential theft, malicious code injection, and potential exposure of customer data. Supply‑chain risk is heightened for agencies, SaaS platforms, and managed‑service providers that host client WordPress sites.
Recommended Actions –
- Verify whether Kirki is installed on any managed WordPress assets.
- Immediately upgrade to Kirki 6.0.7 or later; if upgrade is not feasible, disable or remove the plugin.
- Enforce MFA for all WordPress admin accounts and rotate passwords for any accounts that may have been compromised.
- Deploy Web Application Firewall (WAF) rules to block the vulnerable
handle_forgot_passwordREST endpoint. - Conduct a post‑remediation audit for malicious plugins, web shells, or unauthorized content changes.
Source: BleepingComputer