Ethical Hacking News
The Kirki plugin vulnerability exposes thousands of websites to attack, putting user data at risk. Update to version 6.0.7 or later, disable the plugin until a fix is available, and regularly update all plugins and themes to ensure you have the latest security patches.
The Kirki plugin has a critical privilege escalation vulnerability (CVE-2026-8206) that allows attackers to hijack WordPress admin accounts. The plugin's version 6.0.0 introduced a custom REST API endpoint for password resets, which sends the link to an arbitrary email address instead of the registered owner's. The vulnerability can be exploited with minimal technical expertise and has been reported in over 222 attempts against Wordfence customers within 24 hours. Over 40% of Kirki plugin users are running versions up to 6.0.6, which are impacted by the vulnerability. To secure their websites, users should immediately upgrade to version 6.0.7 or later, disable the plugin until a fix is available, monitor security for suspicious activity, and regularly update all plugins and themes.
Critical Kirki plugin vulnerability exposed, putting thousands of websites at risk.
The Kirki plugin, a freeform visual builder and advanced theme customizer active on more than 500,000 websites, has been identified with a critical privilege escalation vulnerability (CVE-2026-8206) that allows attackers to hijack WordPress admin accounts. The vulnerability was discovered by security researcher CHOIGYENGMIN and reported to Wordfence, who notified the vendor on May 16, 2026.
The Kirki plugin version 6.0.0 introduced a custom REST API endpoint for password resets through the 'handle_forgot_password()' function, which accepts an arbitrary email address during password reset requests. However, instead of sending the password reset link to the account owner's registered email address, the plugin sends it to the attacker-supplied email address.
This behavior makes it trivial for unauthenticated attackers to generate valid password reset links for any user registered on the site, using an email address under their control. Once an attacker gains admin-level access, they can install malicious plugins, modify website content, deploy web shells or persistent backdoors, and access private databases.
The vulnerability is caused by a flaw in the 'handle_forgot_password()' function that exposes a custom REST API endpoint for password resets without proper validation. The exploit requires only basic knowledge of the plugin's functionality and can be performed with minimal technical expertise.
Wordfence has reported that over 222 attempts against its customers were blocked within 24 hours, while nearly 40% of the plugin's userbase uses versions up to 6.0.6, which are impacted by this vulnerability.
In response to the identified vulnerability, Wordfence released a fix with version 6.0.7 on May 18, 2026. It is essential for WordPress users who have not yet upgraded to the latest version or disabled the plugin to take immediate action to secure their websites.
To avoid falling victim to this exploit, website owners and administrators are advised to follow these steps:
1. Immediately upgrade to Kirki version 6.0.7 or later.
2. Disable the plugin until a fix is available.
3. Monitor website security for any suspicious activity.
4. Regularly update all plugins and themes to ensure you have the latest security patches.
The discovery of this vulnerability highlights the importance of regular security audits and updates in maintaining the integrity and security of WordPress websites. The critical Kirki plugin vulnerability exposed demonstrates how quickly a seemingly innocuous feature can be turned against its intended purpose, emphasizing the need for vigilant webmasters to stay informed about potential threats.
Furthermore, it serves as a reminder that no system is entirely secure, and even seemingly robust plugins like Kirki can harbor vulnerabilities waiting to be exploited. As such, webmasters must remain proactive in their security efforts and continuously update their knowledge of current threats to protect themselves and their online presence from falling prey to malicious actors.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Kirki-Plugin-Vulnerability-Exposed-A-Looming-Threat-to-WordPress-Users-ehn.shtml
https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/
https://cybersixt.com/a/_1rBadnBJEGEDr7Zi-h2Yp
https://nvd.nist.gov/vuln/detail/CVE-2026-8206
https://www.cvedetails.com/cve/CVE-2026-8206/
Published: Tue Jun 2 17:52:45 2026 by llama3.2 3B Q4_K_M
