Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin
A critical unauthenticated privilege escalation vulnerability in the Kirki WordPress plugin, tracked as CVE-2026-8206, allows attackers to take over administrator accounts.
A critical security flaw has been identified in the Kirki WordPress plugin, a popular tool used for freeform page building and customizer enhancements. The vulnerability, assigned the identifier CVE-2026-8206, carries a CVSS score of 9.8 and affects versions 6.0.0 through 6.0.6. By exploiting this flaw, unauthenticated attackers can perform a full account takeover, including gaining administrative access to affected WordPress sites. The issue stems from improper handling of password reset requests within the plugin's custom REST API.
Technical analysis reveals that the vulnerability resides in the handle_forgot_password() function within the CompLibFormHandler class. The function incorrectly processes password reset requests by accepting both a username and an email parameter. An attacker can submit an arbitrary email address alongside a target username, causing the plugin to send the password reset link to the attacker-controlled email address rather than the legitimate user's registered address. This bypasses standard authentication mechanisms, granting the attacker the ability to reset the password for any account on the site.
The vulnerability was discovered and reported by researcher CHOIGYEONGMIN through the Wordfence Bug Bounty Program, for which they received a bounty of $6,436. While the plugin is installed on over 500,000 sites, the vulnerability is specifically present in the 6.0 major release branch, impacting an estimated 150,000 installations. The developer, Themeum, was notified of the issue on May 15, 2026, and moved quickly to release a patch.
Version 6.0.7 of the Kirki plugin was released on May 18, 2026, to address the flaw. Users are strongly urged to update their installations to this version or higher immediately to mitigate the risk of account takeover. For those unable to update immediately, Wordfence has deployed firewall rules to protect their Premium, Care, and Response customers, with protection for free users scheduled to follow shortly after the initial disclosure period.
This incident highlights the ongoing risks associated with custom REST API implementations in WordPress plugins. As attackers increasingly target administrative functions to gain initial access, developers must ensure that sensitive operations—such as password resets—are strictly validated against the current user session or account ownership. The rapid response from the plugin maintainers serves as a positive example of effective vulnerability management and responsible disclosure within the WordPress ecosystem.