cbcvebase.
CVE-2026-8206
published 2026-06-02

CVE-2026-8206: The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
1.26%
65.9th percentile
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Detection & IOCsextracted from sources · hover to see the quote

  • Alert on unauthenticated password reset requests that include a username parameter alongside an attacker-controlled arbitrary email address, indicating an account takeover attempt.
  • Wordfence firewall blocked over 222 exploitation attempts in 24 hours — active in-the-wild exploitation is confirmed; prioritize detection on sites running Kirki versions 6.0.0 through 6.0.6.
  • Post-compromise, look for installation of new/unknown plugins, web shell uploads, or new backdoor files on WordPress sites running Kirki, as these are documented attacker follow-on actions.
  • ·The attack requires no authentication whatsoever, making it trivially exploitable by any external attacker against any of the 500,000+ sites running this plugin.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.