A significant security weakness in the Kirki WordPress plugin has put over 500,000 websites at risk of unauthorized account access. Researchers have identified that around 150,000 sites remain vulnerable due to unpatched plugin versions.
Critical Flaw Details
Identified as CVE-2026-8206 with a CVSS score of 9.8, the flaw affects Kirki plugin versions from 6.0.0 to 6.0.6. This vulnerability allows attackers to escalate their privileges by exploiting a compromised password reset mechanism, potentially leading to full takeover of administrator accounts.
The vulnerability was uncovered by security expert Choigyeongmin and reported via the Wordfence Bug Bounty Program, earning a bounty of $6,436. Wordfence confirmed the issue on May 8, 2026, and quickly implemented firewall protections for its premium users by May 9, preceding the public announcement.
Technical Analysis of the Exploit
The Kirki plugin, widely used for enhancing WordPress customization and page building, has a REST API endpoint for handling password reset requests. The flaw was found in the handle_forgot_password() function, where user inputs are not adequately verified during the reset process.
Typically, a secure password reset should send a reset link exclusively to the email linked to the user account. However, the flawed versions of the plugin accept both username and email parameters without confirming their association. This oversight allows an attacker to supply a real username and an arbitrary email under their control, leading the plugin to send a valid reset token to the wrong email address.
Once the attacker receives the reset link, they can establish a new password, gaining unauthorized access and potentially compromising the site. Attackers could then deploy malicious plugins, inject backdoors, or create unauthorized administrator accounts.
Urgent Mitigation Required
The vulnerability was reported to Themeum on May 15, 2026, and a corrective patch was released in version 6.0.7 merely three days later. It is crucial for site administrators to update the Kirki plugin to version 6.0.7 or later without delay.
Additional protections can be leveraged through Wordfence firewall rules, with premium users already safeguarded and free users set to receive protection by June 8, 2026. The ease of exploitation and potential damage make this vulnerability a serious threat to WordPress sites, especially those with exposed user enumeration or public login features. Prompt updates and vigilance for unusual password reset requests are vital for maintaining site security.
