Lucene search
K

34 matches found

Cvelist
Cvelist
added yesterday19 views

CVE-2026-57680 WordPress Kirki plugin <= 6.0.11 - Insecure Direct Object References (IDOR) vulnerability

Unauthenticated Insecure Direct Object References IDOR in Kirki = 6.0.11 versions...

6.5CVSS
Exploits0References1
NVD
NVD
added yesterday6 views

CVE-2026-12472

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS0.00492EPSS
Exploits0References6
Cvelist
Cvelist
added yesterday19 views

CVE-2026-12472 Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

5.3CVSS0.00492EPSS
Exploits0References6
CVE
CVE
added yesterday8 views

CVE-2026-12122

The CVE-2026-12122 entry documents a vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions up to and including 6.0.11). The issue is a Sensitive Information Exposure via get_single_symbol that allows unauthenticated attackers to extract full b...

5.3CVSS5.8AI score0.00495EPSS
Exploits0References8
Patchstack
Patchstack
added 3 days ago5 views

WordPress Kirki plugin <= 6.0.11 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by VanTastic in WordPress Plugin Kirki versions = 6.0.11...

6.5CVSS5.8AI score
Exploits0Affected Software1
NVD
NVD
added last week5 views

CVE-2026-57627

Subscriber Server Side Request Forgery SSRF in Kirki = 6.0.11 versions...

4.9CVSS0.0018EPSS
Exploits0References1
CVE
CVE
added last week14 views

CVE-2026-57627

CVE-2026-57627 describes a Server-Side Request Forgery (SSRF) in the WordPress Kirki plugin, versions

4.9CVSS5.8AI score0.0018EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:10 p.m.12 views

CVE-2026-8073

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...

7.5CVSS5.6AI score0.00564EPSS
Exploits0References1
GithubExploit
GithubExploit
added 2026/06/05 9:59 a.m.81 views

Exploit for CVE-2026-8206

CVE-2026-8206 - Kirki Account Takeover Lab Local Docker lab f...

9.8CVSS5.6AI score0.0126EPSS
Exploits4
GithubExploit
GithubExploit
added 2026/06/02 10:53 a.m.155 views

Exploit for CVE-2026-8206

CVE-2026-8206 - Kirki WordPress Plugin Mass Exploit !Python...

9.8CVSS6AI score0.0126EPSS
Exploits4
NVD
NVD
added 2026/06/02 4:17 a.m.19 views

CVE-2026-8206

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS0.0126EPSS
Exploits4References8
Cvelist
Cvelist
added 2026/06/02 3:28 a.m.54 views

CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS0.0126EPSS
Exploits4References8
CVE
CVE
added 2026/06/02 3:28 a.m.135 views

CVE-2026-8206

The CVE-2026-8206 entry documents an unauthenticated privilege-escalation vulnerability in the Kirki – Freeform Page Builder for WordPress, affecting versions 6.0.0–6.0.6. The root cause is in the password-reset flow: the vulnerable CompLibFormHandler.php reads an attacker-supplied email from the...

9.8CVSS5.9AI score0.0126EPSS
In wildExploits4References8
ATTACKERKB
ATTACKERKB
added 2026/06/02 3:28 a.m.10 views

CVE-2026-8206

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS5.9AI score0.0126EPSS
Exploits4References9Affected Software1
Vulnrichment
Vulnrichment
added 2026/06/02 3:28 a.m.27 views

CVE-2026-8206 Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. Thi...

9.8CVSS5.9AI score0.0126EPSS
Exploits4References8
Positive Technologies
Positive Technologies
added 2026/06/02 12:0 a.m.21 views

PT-2026-45693

Name of the Vulnerable Software and Affected Versions Kirki versions 6.0.0 through 6.0.6 Description The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a flaw allowing unauthenticated privilege escalation and account takeover. The issue occurs because th...

9.8CVSS5.5AI score0.0126EPSS
Exploits4References41
Patchstack
Patchstack
added 2026/06/01 5:17 p.m.14 views

WordPress Kirki plugin 6.0.0-6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' vulnerability

Unauthenticated Privilege Escalation via 'handleforgotpassword' vulnerability discovered by CHOIGYEONGMIN in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions 6.0.0-6.0.6...

9.8CVSS5.8AI score0.0126EPSS
Exploits4References1Affected Software1
Wordfence Blog
Wordfence Blog
added 2026/06/01 3:51 p.m.17 views

Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin

On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduce...

9.8CVSS5.7AI score0.0126EPSS
Exploits4
Patchstack
Patchstack
added 2026/05/21 11:32 a.m.16 views

WordPress Kirki – Freeform Page Builder, Website Builder & Customizer plugin <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion vulnerability

Unauthenticated Limited Arbitrary File Read and Deletion vulnerability discovered by Rafie Muhammad - Awesome Motive, Inc. in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions = 6.0.6...

7.5CVSS5.8AI score0.00564EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/05/19 7:16 p.m.18 views

CVE-2026-8073

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for...

7.5CVSS0.00564EPSS
Exploits0References3
Rows per page
Query Builder