27 matches found
CVE-2026-8073
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...
Exploit for CVE-2026-8206
CVE-2026-8206 - Kirki Account Takeover Lab Local Docker lab f...
Exploit for CVE-2026-8206
CVE-2026-8206 - Kirki WordPress Plugin Mass Exploit !Python...
CVE-2026-8206
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...
CVE-2026-8206
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...
CVE-2026-8206
The Kirki plugin for WordPress (Kirki – Freeform Page Builder, Website Builder & Customizer) versions 6.0.0–6.0.6 contain an unauthenticated privilege-escalation flaw in the password-reset flow. When a username is provided, the code ignores the target user’s email and uses the email supplied in t...
CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...
PT-2026-45693
Name of the Vulnerable Software and Affected Versions Kirki versions 6.0.0 through 6.0.6 Description The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a flaw allowing unauthenticated privilege escalation and account takeover. The issue occurs because th...
WordPress Kirki plugin 6.0.0-6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' vulnerability
Unauthenticated Privilege Escalation via 'handleforgotpassword' vulnerability discovered by CHOIGYEONGMIN in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions 6.0.0-6.0.6...
Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin
On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduce...
WordPress Kirki – Freeform Page Builder, Website Builder & Customizer plugin <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion vulnerability
Unauthenticated Limited Arbitrary File Read and Deletion vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions = 6.0.6...
CVE-2026-8073
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...
CVE-2026-8096
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-8073
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...
EUVD-2026-30976
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...
CVE-2026-8073 Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...
CVE-2026-8073 Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...
CVE-2026-8073
The CVE concerns the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin. Affected versions: all up to 6.0.6. Root cause: insufficient file path validation and missing capability check in the downloadZIP function. Impact: unauthenticated attackers can read and delete arbi...
CVE-2026-8096 Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...