20260602-bleepingcomputer.com-7b1c2

< Back to index

Critical Kirki flaw exploited to hijack WordPress admin accounts

Published:

2 June 2026 at 22:12:57

Alert date:

2 June 2026 at 23:00:29

Source:

bleepingcomputer.com

Web Technologies, Zero-Day Vulnerabilities, Identity & Access

Hackers are actively exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress. The flaw allows attackers to hijack any user account on affected WordPress sites, including administrator accounts. The vulnerability represents a significant threat to WordPress sites using the Kirki plugin, as it enables complete account takeover with administrative privileges. Website administrators should immediately update the plugin or remove it if updates are not available.

Technical details

CVE-2026-8206 is caused by exposure of a custom REST API endpoint for password resets through the 'handle_forgot_password()' function. The flaw stems from the plugin accepting an arbitrary email address during password reset requests. When a username is provided, the plugin generates a valid password reset link for the associated account, but sends it to the attacker-supplied email address rather than the account owner's registered email address. This allows unauthenticated attackers to generate password reset links for any user registered on the site to email addresses under their control.

Mitigation steps:

Upgrade to version 6.0.7 or disable the plugin. Wordfence blocked over 222 attempts in the past 24 hours. The fix was released on May 18, 2026.

Affected products:

Kirki - Freeform Page Builder
Website Builder & Customizer plugin versions 6.0.0 to 6.0.6