Executive Summary
A critical privilege escalation vulnerability (CVE-2026-8206) has been identified in the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress. The flaw affects all versions from 6.0.0 through 6.0.6 and carries a CVSS score of 9.8 (Critical).
The vulnerability allows an unauthenticated attacker to take over any user account — including site administrators — by exploiting a broken password reset flow. The plugin accepts an arbitrary email address when a username is supplied in a password reset request, allowing attackers to redirect password reset tokens to attacker-controlled email addresses.
Sites running affected versions should update immediately or disable the plugin until a patched release is applied.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-8206 |
| CVSS Score | 9.8 (Critical) |
| Type | Privilege Escalation via Account Takeover |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Patch Available | Check plugin update channel |
Affected Versions
| Plugin | Affected Versions | Status |
|---|---|---|
| Kirki – Freeform Page Builder | 6.0.0 – 6.0.6 | Patch required |
Technical Analysis
Root Cause
The flaw resides in the password reset mechanism of the Kirki plugin. When a user initiates a password reset using their username, the plugin is supposed to look up the associated email address and send the reset link to that address only.
Instead, the plugin accepts an attacker-supplied email address as the reset destination, without validating that the email matches the account associated with the provided username. This means:
- An attacker supplies a target username (e.g.,
admin) and their own email address - The plugin generates a valid password reset token for the admin account
- The reset link is sent to the attacker's email, not the legitimate account owner's
- The attacker clicks the reset link, sets a new password, and gains full account access
Attack Flow
1. Attacker identifies a valid WordPress username (e.g., "admin" — default for many sites)
2. Attacker sends password reset request via Kirki's reset flow:
- username: admin
- email: attacker@evil.com (arbitrary — not validated)
3. Plugin generates a valid reset token tied to the admin account
4. Reset email with token is sent to attacker@evil.com
5. Attacker opens reset link, sets a new password for the admin account
6. Attacker logs in as administrator — full site compromiseExploitation Conditions
- Kirki plugin version 6.0.0–6.0.6 must be installed and active
- The Kirki custom login/password reset UI must be in use (not a configuration default on all installations — verify whether your theme activates it)
- The attacker needs a valid WordPress username (admin enumeration is trivial on most WordPress sites)
Impact Assessment
| Impact Area | Description |
|---|---|
| Full Account Takeover | Any user account, including admins, can be seized |
| Site Defacement | Admin access allows modification of all content, themes, and plugins |
| Data Exfiltration | Access to user data, form submissions, contact details, and plugin data |
| Malware Installation | Admin can install malicious plugins or modify PHP files |
| SEO Poisoning | Attacker can inject spam links or redirect traffic |
| Persistent Backdoor | New admin accounts or PHP webshells can be installed |
Immediate Remediation
Step 1: Update Kirki Plugin
Check for an updated version of Kirki via the WordPress plugin repository or via WP-CLI:
# Check current version
wp plugin get kirki --field=version
# Update to latest version
wp plugin update kirki
# Verify updated version
wp plugin get kirki --field=versionOr navigate to WordPress Admin → Plugins → Installed Plugins → Kirki → Update Now.
Step 2: Disable Plugin if Patch Is Not Yet Available
If no patched release is yet available, deactivate the plugin immediately:
wp plugin deactivate kirkiOr navigate to WordPress Admin → Plugins → Deactivate next to Kirki.
Step 3: Audit for Compromise
# Check for recently created admin accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
# Look for admin accounts created recently
wp db query "SELECT user_login, user_email, user_registered FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 14 DAY);"
# Search for recently modified PHP files
find /var/www/html/wp-content/ -name "*.php" -newer /var/www/html/wp-includes/version.php -type f
# Check for unauthorized plugins
wp plugin list --status=activeStep 4: Harden WordPress Password Reset
# Force password reset for all administrator accounts
wp user list --role=administrator --format=ids | xargs -I {} wp user update {} --user_pass="$(openssl rand -base64 24)"
# Invalidate all active sessions
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"
# Regenerate WordPress secret keys
wp config shuffle-saltsDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected admin account creation | Post-exploitation persistence |
| Password reset requests with mismatched username/email | Active exploitation attempt |
| Password reset emails sent to unfamiliar domains | Token redirect attack in progress |
| New plugin installations from unfamiliar sessions | Post-compromise plugin deployment |
| File modifications in wp-content/plugins/kirki/ | Potential backdoor injection |
Post-Remediation Checklist
- Update Kirki plugin to the latest patched version
- Disable the plugin if no patch is available
- Audit all administrator accounts and remove unauthorized entries
- Reset all admin passwords and regenerate WordPress secret keys
- Invalidate all active sessions to force re-authentication
- Scan for webshells in wp-content/ and plugin directories
- Review access logs for evidence of password reset abuse
- Enable 2FA on all administrator and editor accounts
- Restrict the WordPress login page via IP allowlist or WAF rules