A critical security flaw in the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin is exposing sites to account takeover and privilege escalation attacks, with roughly 150,000 estimated to be running vulnerable versions introduced in the 6.0 release.
Tracked as CVE-2026-8206 and rated 9.8 (Critical), the bug affects Kirki versions 6.0.0 through 6.0.6 and has now been patched in version 6.0.7. The issue was reported on May 4, 2026, by researcher CHOIGYEONGMIN via the Wordfence Bug Bounty Program, earning a bounty of $6,436.
WordPress Plugin Flaw
The vulnerability resides in Kirki’s password reset workflow, specifically in the handle_forgot_password() function of the CompLibFormHandler class, which is exposed via a custom REST API endpoint for frontend account management.
The function accepts both a username and an email parameter from the request body.
- Vulnerability: CVE-2026-8206, CVSS 9.8 (Critical), unauthenticated privilege escalation
- Affected plugin: Kirki – Freeform Page Builder, versions 6.0.0–6.0.6
- Impact: Full account takeover, including admin users, via password reset abuse
- Root cause: Logic flaw in handle_forgot_password() using attacker-supplied email
- Patched version: Kirki 6.0.7, released May 18, 2026
However, after resolving a valid username to a real account, it still uses the email provided in the request rather than the email tied to that user in WordPress.
As a result, an unauthenticated attacker can submit a high-privileged username along with an attacker-controlled email address, receive a valid reset link, and set a new password for that account.
Once an administrator account is compromised, an attacker can install malicious plugins, create rogue administrator users, inject SEO spam, alter site content, or deploy webshells for persistent access and broader compromise.
Wordfence validated the report and proof of concept on May 8, 2026, and shipped a firewall rule on May 9, 2026, for Premium, Care, and Response customers, with free users scheduled to receive the same protection on June 8, 2026.
Themeum released the patched Kirki 6.0.7 build on May 18, 2026, and site owners are strongly urged to update immediately, audit administrator accounts, and review logs for suspicious password reset activity targeting the plugin’s REST endpoint.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
