The Kirki WordPress plugin for page building and website customization contains a critical vulnerability in versions 6.0.0 to 6.0.6 that allows privilege escalation through account takeover. The flaw stems from the plugin accepting arbitrary email addresses during password reset requests when a username is provided. This enables unauthenticated attackers to redirect password reset links for any registered user to their own email address, effectively taking control of victim accounts. The vulnerability affects the plugin's password reset functionality and poses a significant security risk to WordPress sites using the affected versions.