Back

Critical CVE-2026-8206 Vulnerability in Kirki Plugin Threatens 500,000+ WordPress Sites

Severity: High (Score: 72.9)

Sources: www.wordfence.com, Cybersecuritynews, Bleepingcomputer

Published: 2026-06-03 · Updated: 2026-06-03

Keywords: wordpress, plugin, critical, kirki, vulnerability, websites, privilege

Severity indicators: critical, vulnerability, privilege escalation

Summary

A critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki WordPress plugin allows attackers to hijack user accounts, including administrator accounts. The flaw affects versions 6.0.0 to 6.0.6 of the plugin, which is active on over 500,000 websites. Approximately 150,000 sites are currently vulnerable. The vulnerability arises from a custom REST API endpoint that improperly handles password reset requests, allowing attackers to redirect reset links to their own email addresses. Wordfence reported blocking over 222 exploitation attempts in just 24 hours. The vulnerability was discovered by researcher CHOIGYENGMIN on May 4, 2026, and a patch was released on May 18, 2026. Website administrators are urged to upgrade to version 6.0.7 or disable the plugin immediately to mitigate risks. Key Points: • CVE-2026-8206 allows attackers to hijack WordPress accounts via the Kirki plugin. • Approximately 150,000 sites are actively vulnerable due to outdated plugin versions. • Website owners must upgrade to version 6.0.7 or disable the plugin to prevent exploitation.

Detailed Analysis

**Impact** Over 500,000 WordPress websites using the Kirki plugin are affected, with approximately 150,000 sites actively vulnerable running versions 6.0.0 through 6.0.6. The vulnerability allows attackers to hijack any user account, including administrators, leading to potential installation of malicious plugins, content manipulation, deployment of web shells or backdoors, and unauthorized access to private databases. The affected sites span multiple sectors and geographies, though specific industries or regions are not detailed in the sources. **Technical Details** CVE-2026-8206 is a critical privilege escalation vulnerability (CVSS 9.8) in the Kirki - Freeform Page Builder plugin caused by a flawed custom REST API endpoint for password resets (`handle_forgot_password()`). The plugin accepts arbitrary email addresses during password reset requests, sending reset links to attacker-controlled emails instead of the legitimate user’s address. Exploitation requires no authentication and enables attackers to gain admin-level access rapidly. Wordfence detected and blocked over 222 attack attempts within 24 hours. No specific malware or IOCs are mentioned in the articles. **Recommended Response** Website administrators must immediately upgrade the Kirki plugin to version 6.0.7 or later, which contains the patch for CVE-2026-8206. If patching is not immediately possible, disabling the plugin is advised to prevent exploitation. Monitoring for unusual password reset requests and unauthorized admin account activity should be implemented. Deploying web application firewall (WAF) rules to block exploitation attempts and reviewing logs for related REST API calls are recommended.

Source articles (4)

  • Critical Kirki flaw exploited to hijack WordPress admin accounts — Bleepingcomputer · 2026-06-02
    Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. The a…
  • WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks — Cybersecuritynews · 2026-06-03
    A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites ar…
  • Kirki 600 606 Unauthenticated Privilege Escalation Via Handle Forgot Password — www.wordfence.com · 2026-06-02
  • Unauthenticated Privilege Escalation Vulnerability Patched In Kirki Wordpress Plugin — www.wordfence.com · 2026-06-02

Timeline

  • 2026-05-04 — Vulnerability discovered: Researcher CHOIGYENGMIN identified the critical flaw in the Kirki plugin.
  • 2026-05-16 — Vendor notified: Wordfence informed the plugin vendor about the discovered vulnerability.
  • 2026-05-18 — Patch released: A fix for the vulnerability was released with version 6.0.7 of the Kirki plugin.
  • 2026-06-02 — CVE-2026-8206 published: The vulnerability was publicly disclosed, with active exploitation reported by Wordfence.
  • 2026-06-03 — Ongoing exploitation attempts: Wordfence reported over 222 attempts to exploit the vulnerability within 24 hours.

CVEs

  • CVE-2026-8206

Related entities

  • Zero-day Exploit (Attack Type)
  • CWE-269 - Improper Privilege Management (Cwe)
  • CWE-287 - Improper Authentication (Cwe)
  • T1068 - Exploitation for Privilege Escalation (Mitre Attack)
  • WordPress (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed