Hackers are exploiting a critical privilege escalation flaw in the Kirki WordPress plugin to take over user accounts, including administrator accounts, with Wordfence blocking more than 222 attack attempts in the past 24 hours, according to a technical analysis from Wordfence.
KEY FACTS
- Vulnerability CVE-2026-8206 affects the Kirki – Freeform Page Builder, Website Builder & Customizer plugin.
- Impact The flaw can let unauthenticated attackers generate password reset links for any user.
- Affected versions Versions 6.0.0 through 6.0.6 are exposed.
- Fix Version 6.0.7 was released on May 18, 2026.
The plugin is active on more than 500,000 websites. Wordfence said the issue was introduced in version 6.0.0 and affects nearly 40% of the plugin’s user base based on download statistics from WordPress.org.
The flaw affects a custom REST API endpoint used for password resets through the handle_forgot_password() function. The plugin accepts an arbitrary email address during reset requests, then sends the valid reset link to the attacker-supplied address instead of the account owner’s registered email address.
Security researcher CHOIGYENGMIN reported the bug to Wordfence on May 4, 2026. The company notified the vendor on May 16, and the patched version followed two days later. If an attacker gets admin-level access, the report says they could install malicious plugins, change website content, deploy web shells or backdoors, and access private databases.
WHY IT MATTERS
The disclosure shows how a simple flaw in password reset handling can lead to full site compromise, especially when exploitation is already under way. Website owners are being urged to update to version 6.0.7 or disable the plugin.