The plugin’s versions 6.0.0 to 6.0.6 are affected by an unauthenticated privilege escalation and account takeover bug. Tracked as CVE-2026-8206 (CVSS score of 9.8), the issue impacted the plugin’s password reset flow, which allowed attackers to provide a username and an arbitrary email address and have a password reset key sent to that address. This means an unauthenticated attacker can send a request specifying a high-privileged username together with an attacker-controlled email address and receive a valid password reset link for the targeted account. The attacker can then use the reset link to take control of the targeted account. By resetting the password for an administrative account, the attacker can take over the entire website.
| Vendor | Product | Versions |
|---|---|---|
| kirki | kirki – freeform page builder, website builder & customizer | 6.0.0, 6.0.6 |
Updated description with more technical detail, added patch version 6.0.7, and included new CWE and tags.
Updated description with technical details, confirmed active exploitation, and added patch version 6.0.7.
Updated description with new details and confirmed no exploit is available.
Initial creation
