Kirki WordPress Plugin Account Takeover (CVE-2026-8206): Unauthenticated Password Reset to Attacker-Controlled Email

nick

Kirki WordPress Plugin Account Takeover (CVE-2026-8206): Unauthenticated Password Reset to Attacker-Controlled Email

by

A critical privilege escalation vulnerability in the Kirki — Freeform Page Builder plugin for WordPress, tracked as CVE-2026-8206, allows unauthenticated attackers to take over any registered user account — including administrators — by supplying their own email address in a password reset request. The vulnerability carries a CVSS score of 9.8 and affects versions 6.0.0 through 6.0.6. The attack is trivially executable: a single HTTP request with a known username and attacker-controlled email address enables full account takeover with no authentication or user interaction required.

What Is the Vulnerability?

CVE-2026-8206 is an improper privilege management vulnerability in Kirki’s password reset functionality. The vulnerability exists because the plugin’s password reset handler accepts an arbitrary email address supplied by the attacker when a valid username is provided in the reset request. Instead of validating that the email address matches the one associated with the user account in the WordPress database, the plugin accepts the attacker-supplied email address as the destination for the password reset link.

The attack flow is straightforward: the attacker sends a password reset request specifying a known WordPress username (such as “admin” or any username discoverable through WordPress’s user enumeration) and provides their own email address. The plugin processes the request and sends the password reset link to the attacker’s email address. The attacker clicks the link, sets a new password, and gains full access to the targeted account — including administrative accounts with complete site control.

The vulnerability is classified under CWE-269 (Improper Privilege Management):

  • CVSS v3.1 Score: 9.8 (Critical)
  • Attack Vector: Network (AV:N)
  • Attack Complexity: Low (AC:L)
  • Privileges Required: None (PR:N)
  • User Interaction: None (UI:N)
  • Impact: High on confidentiality, integrity, and availability (C:H/I:H/A:H)

Which Versions Are Affected?

The vulnerability affects Kirki — Freeform Page Builder, Website Builder & Customizer plugin for WordPress:

  • Kirki versions 6.0.0 through 6.0.6 (inclusive)

Versions prior to 6.0.0 and versions 6.0.7 and later are not affected. Kirki is a popular page builder and WordPress customizer plugin that provides site-building functionality — it is not a niche plugin with a small user base, and it is commonly deployed on sites where it provides core site-building and customisation features.

Is It Being Exploited in the Wild?

No large-scale exploitation has been publicly confirmed at the time of writing. However, the vulnerability was published on June 2, 2026 and is trivially exploitable at scale with no authentication or user interaction. The attack requires only a known WordPress username — which can be enumerated through standard WordPress user enumeration techniques (author archives, REST API, login error messages) — and an attacker-controlled email address. WordPress plugin vulnerabilities with CVSS 9.8 scores and unauthenticated attack vectors are routinely weaponised by automated scanning tools within days of disclosure. Organisations should assume exploitation tooling is imminent and patch proactively.

What Is the Fix?

The Kirki development team has released a patched version addressing CVE-2026-8206. The fix corrects the password reset flow to properly validate that the supplied email address matches the user account before sending the reset link. The vulnerable code is in CompLibFormHandler.php. The official plugin page is available at:

https://wordpress.org/plugins/kirki/

Administrators should update Kirki to version 6.0.7 or later via the WordPress admin dashboard:

  • Navigate to Plugins > Installed Plugins
  • Locate Kirki — Freeform Page Builder
  • Click Update to version 6.0.7 or later
  • Alternatively, update via WP-CLI: wp plugin update kirki

Recommendations

Update Kirki immediately. The attack is trivially executable — a single HTTP request with a known username and attacker email address achieves full account takeover. CVSS 9.8 with no authentication or user interaction means every site running a vulnerable version is a single request away from compromise. If you cannot update immediately, disable the plugin until the patch can be applied.

Audit password reset activity. After updating, check WordPress email logs for password reset emails sent to unexpected external domains — particularly free email providers or domains you do not recognise. Review the WordPress user activity log for password reset requests that do not correspond to legitimate user-initiated password changes. Any password reset sent to an email address that does not match the user’s registered email should be treated as a potential exploitation attempt.

Force-logout all users after patching. If your site was running a vulnerable version for any period after June 2, 2026, force-logout all users (Users > All Users > select all > Bulk Actions > Force Logout). This invalidates any sessions that may have been established through exploited password resets. After forcing logout, require all users — particularly administrators — to set new passwords on their next login.

Check for signs of compromise. Review the WordPress user list for any administrator accounts with recently changed passwords or email addresses. Check for unauthorised content modifications, newly installed plugins or themes, and unexpected configuration changes. If an administrative account was compromised through this vulnerability, the attacker had full site control and could have installed backdoors or modified site content.

Disable user enumeration on your WordPress site. This vulnerability requires a known username to target. WordPress exposes usernames through author archives, the REST API users endpoint, and login error messages by default. Implement measures to prevent username enumeration — this reduces the attack surface for this and future account-targeting vulnerabilities. Consider using a security plugin that masks usernames and blocks user enumeration attempts.

References

This advisory was first covered in the broader Vulnerability Intelligence Report — June 2, 2026. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full report.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!