

WordPress sites running the Kirki plugin versions 6.0.0 through 6.0.6. The plugin is installed on over 500,000 WordPress sites; approximately 150,000 were running vulnerable versions at time of publication.
A critical unauthenticated privilege escalation vulnerability was discovered in the Kirki WordPress plugin. The flaw exists in the password reset mechanism and allows an unauthenticated attacker to take over arbitrary user accounts, including administrator accounts. Successful exploitation leads to full site compromise, enabling attackers to gain administrative access, modify website content, install malicious plugins or backdoors, and maintain persistent control over the affected WordPress site.
CVE-2026-8206 assigned with CVSS 9.8. Patch released in version 6.0.7. Active exploitation confirmed at time of publication. Approximately 150,000 sites remained on vulnerable versions when the advisory was issued.
Any publicly accessible WordPress site running Kirki 6.0.0 through 6.0.6. No authentication is required to exploit the vulnerability. The attack surface is the custom REST API endpoint exposed by the plugin for frontend password reset requests.
CVE-2026-8206 (CVSS 9.8) - The vulnerability originates in the handle_forgot_password() function within the CompLibFormHandler class. The custom REST API endpoint for password resets accepts an attacker-supplied email address instead of using the account's registered email. By sending a crafted password reset request containing a target username and an attacker-controlled email address, an attacker receives the password reset link and gains full access to the targeted account. No authentication is required at any step.
An unauthenticated attacker sends a crafted POST request to the Kirki password reset REST API endpoint, specifying a target username (such as an administrator account) and an attacker-controlled email address. The plugin sends the password reset link to the attacker-controlled address. The attacker uses the link to reset the account password and gains full administrative access. Post-exploitation activity can include installing malicious plugins, injecting web shells, exfiltrating user data and site content, or establishing persistent backdoor access.
Full administrative takeover of affected WordPress sites is possible without any credentials. Attackers can install backdoors and malicious plugins, inject web shells, modify or delete content, exfiltrate user data and site content, and maintain persistent control. Service disruption, data exposure, and full infrastructure compromise are all plausible outcomes.
Risk is rated High for large and medium government and business entities, and Medium for small government and small business entities. The scale of exposure is significant: 150,000 sites running vulnerable versions creates a broad opportunistic attack surface. The ease of exploitation (no authentication, single HTTP request) means automated mass exploitation is feasible.
Upgrade the Kirki plugin to version 6.0.7 or later immediately. The vulnerability is fully addressed in the patched release. Review all user accounts and privilege assignments for unauthorized accounts, suspicious password resets, or unexpected permission changes. Audit website files, plugins, and themes for unauthorized modifications, malicious uploads, or web shells. Deploy and maintain Web Application Firewall protections to detect and block malicious requests targeting the password reset REST API endpoint.
If exploitation is suspected, assume any administrator account may be compromised. Rotate all administrative credentials, review recently installed plugins and uploaded files, and scan for web shells and unauthorized file modifications. Preserve access logs for forensic analysis. Enforce the Principle of Least Privilege across all user accounts and administrative functions. Consider virtual patching solutions for interim protection where immediate deployment is not possible. Monitor security logs continuously for indicators of attempted or successful exploitation.
Wordfence Blog - Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin. Orca Security Blog - Kirki WordPress Plugin Vulnerability CVE-2026-8206. CVE Record: CVE-2026-8206.
Trusted by clients worldwide






Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.




