Back

Critical CVE-2026-8206 Flaw in Kirki Plugin Exposes 500,000 WordPress Sites to Attacks

Severity: High (Score: 78.0)

Sources: Bleepingcomputer, Ground.News, www.wordfence.com, cybernoz.com, Cybersecuritynews

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: wordpress, plugin, critical, kirki, vulnerability, websites, privilege

Severity indicators: critical, vulnerability, privilege escalation

Summary

A critical vulnerability (CVE-2026-8206) in the Kirki WordPress plugin allows unauthenticated attackers to hijack user accounts, including admin accounts, on over 500,000 websites. Detected by Defiant's Wordfence firewall, the flaw affects versions 6.0.0 to 6.0.6, with approximately 150,000 sites currently vulnerable. The vulnerability arises from a misconfigured password reset function that allows attackers to redirect password reset links to any email address they control. The issue was reported by researcher CHOIGYENGMIN on May 4, 2026, and a patch was released on May 18, 2026. Website administrators are urged to upgrade to version 6.0.7 or disable the plugin to mitigate risks. The vulnerability has a CVSS score of 9.8, indicating its critical nature and the urgency for remediation. Key Points: • CVE-2026-8206 allows attackers to hijack WordPress admin accounts via the Kirki plugin. • Over 500,000 websites are affected, with approximately 150,000 actively vulnerable. • Website owners must upgrade to version 6.0.7 or disable the plugin to prevent exploitation.

Detailed Analysis

**Impact** Over 500,000 WordPress websites using the Kirki plugin versions 6.0.0 through 6.0.6 are affected, with approximately 150,000 sites actively vulnerable. The flaw allows attackers to hijack any user account, including administrators, enabling full site takeover. Consequences include unauthorized installation of malicious plugins, content modification, deployment of backdoors, and exposure of private databases. The affected sites span various sectors and geographies but no specific industries or regions were detailed. **Technical Details** The vulnerability (CVE-2026-8206, CVSS 9.8) arises from a custom REST API endpoint in the ‘handle_forgot_password()’ function that accepts arbitrary email addresses during password reset requests. Attackers supply a username and receive a valid password reset link sent to their controlled email, enabling privilege escalation without authentication. Exploitation allows attackers to gain admin-level access, facilitating persistence and data compromise. Wordfence detected and blocked over 222 attack attempts within 24 hours. No specific malware or IOCs were reported. **Recommended Response** Site administrators must immediately upgrade the Kirki plugin to version 6.0.7 or later, which contains the fix released on May 18, 2026. If patching is not possible, disabling the plugin is advised to prevent exploitation. Deploy detection rules to monitor for unusual password reset requests and privilege escalations via the REST API. Monitor firewall and intrusion detection logs for repeated reset attempts targeting Kirki endpoints.

Source articles (6)

  • Critical Kirki flaw exploited to hijack WordPress admin accounts — Bleepingcomputer · 2026-06-02
    Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. The a…
  • WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks — Cybersecuritynews · 2026-06-03
    A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites ar…
  • Kirki, Burst Statistics WordPress Plugin Flaws in Attackers' Crosshairs — Ground.News · 2026-06-03
    A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites ar…
  • Kirki 600 606 Unauthenticated Privilege Escalation Via Handle Forgot Password — www.wordfence.com · 2026-06-02
  • Unauthenticated Privilege Escalation Vulnerability Patched In Kirki Wordpress Plugin — www.wordfence.com · 2026-06-02
  • Kirki Burst Statistics Wordpress Plugin Flaws In Attackers Crosshairs — cybernoz.com · 2026-06-03

Timeline

  • 2026-05-04 — Vulnerability reported: Researcher CHOIGYENGMIN reported the flaw to Wordfence, highlighting its potential for exploitation.
  • 2026-05-16 — Vendor notified: Wordfence notified the Kirki plugin vendor about the critical vulnerability.
  • 2026-05-18 — Patch released: A fix was released with version 6.0.7 to address the vulnerability in the Kirki plugin.
  • 2026-06-02 — CVE published: CVE-2026-8206 was officially published, detailing the critical vulnerability in the Kirki plugin.
  • 2026-06-02 — CVE-2026-8206 published: Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.

CVEs

  • CVE-2026-8206

Related entities

  • Data Breach (Attack Type)
  • Zero-day Exploit (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • WordPress (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed