WordPress “Kirki” Plugin Flaw Allows Full Admin Takeover (CVE-2026-8206)

A severe security vulnerability has been identified in the Kirki – Freeform Page Builder, Website Builder & Customizer plugin, a popular tool used extensively within the WordPress ecosystem. The flaw exposes websites to unauthenticated privilege escalation and full account takeover, potentially affecting approximately 150,000 installations. The vulnerability was introduced in the 6.0 release cycle and remains a high-priority threat for site administrators.

Tracked as CVE-2026-8206, the flaw carries a critical CVSS score of 9.8. The issue was discovered and reported by researcher CHOIGYEONGMIN through the Wordfence Bug Bounty Program, where it earned a $6,436 reward. The vulnerability is officially patched in version 6.0.7.

Technical Breakdown: The Logic Flaw in Password Reset Workflows

The core of the vulnerability lies within the plugin’s custom REST API endpoint, which is designed to facilitate frontend account management. Specifically, the flaw is located in the handle_forgot_password() function of the CompLibFormHandler class.

In a standard, secure password reset flow, a system should validate a user’s identity by sending a reset token to the email address already associated with their account in the database. However, the Kirki implementation suffers from a critical logic error: while the function correctly resolves a provided username to a specific user object, it fails to validate the email address against that user’s registered data. Instead, it utilizes the email address provided directly in the attacker’s request body.

Exploitation Scenario:

• Step 1: An unauthenticated attacker identifies a target administrative username.
• Step 2: The attacker sends a POST request to the vulnerable REST endpoint containing the target’s username and an email address controlled by the attacker.
• Step 3: The plugin generates a valid password reset link and sends it to the attacker’s email, rather than the administrator’s actual email.
• Step 4: The attacker follows the link, resets the password, and gains full administrative access to the WordPress dashboard.

The Impact of Compromise

Once an attacker successfully escalates their privileges to an administrator level, the integrity of the entire web server is at risk. Malicious actors can execute several high-impact actions, including:

• Deploying webshells to maintain persistent, low-level access to the server.
• Installing malicious plugins or themes to facilitate further attacks.
• Injecting SEO spam or malicious redirects to damage the site’s reputation and search rankings.
• Exfiltrating sensitive user data or modifying site content to spread misinformation.

Mitigation and Remediation

The developer, Themeum, has addressed this critical vulnerability by releasing Kirki version 6.0.7 on May 18, 2026. This update corrects the logic flaw by ensuring that password reset links are only dispatched to the email address verified within the WordPress user database.

Recommended Actions for Site Owners:

1. Immediate Update: Ensure the Kirki plugin is updated to version 6.0.7 or higher immediately.
2. Audit Administrative Accounts: Review your user list for any unauthorized or suspicious administrator accounts created recently.
3. Log Analysis: Inspect your server and plugin logs for unusual activity targeting the Kirki REST API endpoints, specifically looking for repeated or suspicious password reset requests.
4. Security Scanning: Utilize a reputable security scanner to check for any signs of post-compromise artifacts, such as unexpected files or modified core files.

Wordfence has already deployed firewall rules to protect Premium and Care customers, with expanded coverage for free users arriving in June 2026. However, manual updates remain the most effective defense against this critical threat.