Full Report
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]
Analysis Summary
# Vulnerability: Unauthenticated Privilege Escalation in Kirki WordPress Plugin
## CVE Details
- CVE ID: CVE-2026-8206
- CVSS Score: 9.8 (Critical)
- CWE: CWE-288 (Authentication Bypass Using an Alternate Path) / CWE-269 (Improper Privilege Management)
## Affected Systems
- Products: Kirki - Freeform Page Builder, Website Builder & Customizer (WordPress Plugin)
- Versions: 6.0.0 through 6.0.6
- Configurations: Sites with the plugin active that allow user registrations or have existing administrative accounts.
## Vulnerability Description
A critical privilege escalation vulnerability exists in the Kirki plugin due to the insecure implementation of a custom REST API endpoint for password resets. The flaw resides in the `handle_forgot_password()` function.
While the function correctly identifies a target user account based on a provided username, it fails to validate the recipient email address. Instead of sending the password reset link to the email address associated with the account in the WordPress database, the plugin sends it to an arbitrary email address provided by the requester in the API call. This allows an unauthenticated attacker to redirect password reset links for any user (including administrators) to an inbox they control.
## Exploitation
- Status: Exploited in the wild
- Complexity: Low
- Attack Vector: Network
## Impact
- Confidentiality: High (Full access to site data and databases)
- Integrity: High (Ability to modify content, install backdoors, and inject malicious code)
- Availability: High (Ability to lock out legitimate users or delete site data)
## Remediation
### Patches
- Update to Kirki version 6.0.7 or later immediately.
### Workarounds
- If patching is not immediately possible, deactivate and delete the Kirki plugin to remove the vulnerable REST API endpoint.
## Detection
- Indicators of Compromise: Unusual password reset requests for administrative accounts; presence of unauthorized new administrative users or modified plugin files/malicious shells.
- Detection methods and tools: Monitor web server logs for requests to the Kirki REST API password reset endpoint; use Web Application Firewalls (WAF) to block unauthorized attempts to the `handle_forgot_password()` function.
## References
- Wordfence Intelligence: hxxps[://]www[.]wordfence[.]com/threat-intel/vulnerabilities/wordpress-plugins/kirki/kirki-600-606-unauthenticated-privilege-escalation-via-handle-forgot-password
- Wordfence Blog: hxxps[://]www[.]wordfence[.]com/blog/2026/06/unauthenticated-privilege-escalation-vulnerability-patched-in-kirki-wordpress-plugin/
- WordPress Plugin Repository: hxxps[://]wordpress[.]org/plugins/kirki/