Critical CVE-2026-8206 Flaw in Kirki Plugin Exposes 500,000 WordPress Sites to Attacks

A critical vulnerability (CVE-2026-8206) in the Kirki WordPress plugin allows unauthenticated attackers to hijack user accounts, including admin accounts, on over 500,000 websites. Detected by Defiant's Wordfence firewall, the flaw affects versions 6.0.0 to 6.0.6, with approximately 150,000 sites currently vulnerable. The vulnerability arises from a misconfigured password reset function that allows attackers to redirect password reset links to any email address they control. The issue was reported by researcher CHOIGYENGMIN on May 4, 2026, and a patch was released on May 18, 2026. Website administrators are urged to upgrade to version 6.0.7 or disable the plugin to mitigate risks. The vulnerability has a CVSS score of 9.8, indicating its critical nature and the urgency for remediation.

Key Points: • CVE-2026-8206 allows attackers to hijack WordPress admin accounts via the Kirki plugin. • Over 500,000 websites are affected, with approximately 150,000 actively vulnerable. • Website owners must upgrade to version 6.0.7 or disable the plugin to prevent exploitation.