The Kirki WordPress plugin versions 6.0.0 to 6.0.6 contains a critical privilege escalation vulnerability that allows account takeover. The vulnerability stems from the plugin accepting arbitrary email addresses during password reset requests when a username is provided. This flaw enables unauthenticated attackers to redirect password reset links for any registered user to their own email address, effectively allowing them to take over any account on the affected WordPress site. The vulnerability affects the Freeform Page Builder, Website Builder & Customizer plugin functionality.