Critical Kirki flaw exploited to hijack WordPress admin accounts
Attackers are actively exploiting a serious privilege escalation flaw (CVE-2026-8206) in the Kirki WordPress plugin, enabling them to seize control of any account on an affected site — including administrator accounts.
Security firm Defiant, which makes the Wordfence firewall, detected the attacks and reports blocking more than 222 exploitation attempts against its customers within a single day.
The plugin in question — formally known as Kirki Freeform Page Builder, Website Builder & Customizer —
is a popular visual builder and theme customization tool installed on over half a million websites.
According to Wordfence, the vulnerability was introduced in version 6.0.0 and affects all releases through 6.0.6. Based on download data from WordPress.org, those vulnerable versions are running on roughly 40% of all Kirki installations.
The root cause is a poorly secured custom REST API endpoint tied to the plugin's password reset function.
When a reset request is submitted with a valid username, the plugin generates a legitimate reset link for that account — but delivers it to whatever email address the requester supplies, rather than the one on file for the account owner. This means anyone can silently hijack any user account without needing to be logged in.
An attacker who gains admin access this way could install rogue plugins, alter site content, plant backdoors, or access sensitive database information.
The vulnerability was discovered by researcher CHOIGYENGMIN, who reported it to Wordfence on May 4, 2026. The vendor was notified on May 16 and released a patched version, 6.0.7, two days later.
Given that attacks are already underway and require no authentication, site owners running Kirki should update to version 6.0.7 immediately or deactivate the plugin until they can do so.
