A critical (CVSS 9.8) privilege escalation flaw in the Kirki WordPress plugin lets unauthenticated attackers hijack any account, including administrators, by redirecting password reset links to an attacker-controlled email address.
What Is It
CVE-2026-8206 is an unauthenticated account takeover vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress. The plugin's password reset handler accepts an arbitrary email address when a username is supplied in the reset request, meaning an attacker can request a reset for any registered username and have the reset link delivered to an email of their choosing. The flaw is classified as CWE-269 (Improper Privilege Management) and carries a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, fully network-reachable, no authentication, no user interaction.
Why It Matters
Account takeover of a WordPress administrator effectively hands over the entire site. From an admin session, an attacker can install malicious plugins, modify themes to insert webshells, exfiltrate user data, deface content, or pivot into the underlying host. Because exploitation requires only an HTTP request to a publicly reachable endpoint and the knowledge of a username (often trivially enumerable on WordPress), mass exploitation by opportunistic scanners is a realistic risk. The CISA KEV catalog does not currently list this CVE, so there is no confirmation of in-the-wild exploitation from CISA at this time.
What's Vulnerable
- Plugin: Kirki – Freeform Page Builder, Website Builder & Customizer (WordPress)
- Affected versions: 6.0.0 through 6.0.6 (all versions in this range)
- Vulnerable code paths:
ComponentLibrary/controller/CompLibFormHandler.php(lines 48 and 330) andComponentLibrary/controller/ElementGenerator.php(line 227) - Attack prerequisites: Unauthenticated network access to the WordPress site; knowledge of a target username.
Patch Status
A fix has been committed upstream; see WordPress.org plugin changeset 3530843 referenced in the NVD record. Site operators running Kirki should update to a patched release beyond 6.0.6 immediately. Until updated, any site running an affected version should be treated as exposed to unauthenticated administrator takeover.