Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators.
The attacks were detected by WordPress security firm Defiant, whose Wordfence firewall
blocked over 222 attempts against its customers in the past 24 hours.
The full name of the plugin is Kirki - Freeform Page Builder, Website Builder & Customizer. It is a freeform visual builder and advanced theme customizer active on more than 500,000 websites.
Wordfence
reports that the issue was introduced in a recent major release, version 6.0.0, and impacts plugin versions up to 6.0.6, which are used by nearly 40% of the plugin’s userbase, according to download statistics from WordPress.org.
CVE-2026-8206 is caused by the exposure of a custom REST API endpoint for password resets through the ‘handle_forgot_password()’ function.
The flaw stems from the plugin accepting an arbitrary email address during password reset requests.
When a username is provided, the plugin generates a valid password reset link for the associated account, but sends it to the attacker-supplied email address rather than the account owner's registered email address.
This behavior makes it trivial for unauthenticated attackers to generate password reset links for any user registered on the site to email addresses under their control, easily hijacking them.
Once an attacker gains admin-level access, they could install malicious plugins, modify website content, deploy web shells or persistent backdoors, and access private databases.
The flaw was discovered by security researcher CHOIGYENGMIN, who reported it to Wordfence on May 4, 2026. The company notified the vendor on May 16 and released a fix with version 6.0.7 on May 18, 2026.
Given the active exploitation status of CVE-2026-8206 and the very low requirements for launching attacks, it is critical that website owners/administrators upgrade to version 6.0.7 or disable the plugin.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
Download Now
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
