Urgent Security Alert: Exploitation of Privilege Escalation Vulnerability in WordPress Plugin
Recent findings have revealed that a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress is being actively exploited by hackers.
This flaw enables unauthorized parties to seize control of any user account, including those with administrative privileges.
The severity of this threat was highlighted by the WordPress security firm Defiant, which noted that its Wordfence firewall successfully thwarted over 222 attempted incursions within a mere 24-hour period.
The Kirki plugin, formally designated as Kirki – Freeform Page Builder, Website Builder & Customizer, serves as an advanced theme customizer and visual builder, actively employed on more than 500,000 websites globally.
According to a report from Wordfence, this vulnerability was introduced in the latest major release, version 6.0.0, impacting plugin versions up to 6.0.6.
Alarmingly, these versions constitute nearly 40% of the plugin’s user base, as indicated by download statistics from WordPress.org.
The crux of CVE-2026-8206 lies in the exposure of a custom REST API endpoint for password resets facilitated by the ‘handle_forgot_password()’ function.
This vulnerability occurs due to the plugin’s acceptance of arbitrary email addresses during password reset requests.
Specifically, when a username is entered, the plugin generates a legitimate password reset link for the corresponding account.
However, disconcertingly, it forwards this link to the email address provided by the attacker rather than the legitimate owner’s registered address.
This oversight renders it exceedingly straightforward for unauthorized users to generate password reset links for any account on the platform, thereby effortlessly hijacking them.
Once attackers achieve administrative access, they can instigate a range of nefarious activities, including the installation of malicious plugins, alteration of website content, deployment of web shells or persistent backdoors, and unauthorized access to sensitive databases.
This vulnerability was initially identified by security researcher CHOIGYENGMIN, who reported the issue to Wordfence on May 4, 2026.
Following this, the company informed the vendor on May 16, culminating in the release of a patch in version 6.0.7 just two days later, on May 18, 2026.
In light of the active exploitations surrounding CVE-2026-8206 and the minimal prerequisites for launching attacks, it is imperative for website owners and administrators to promptly upgrade to version 6.0.7 or consider deactivating the plugin entirely.
Source link: Bleepingcomputer.com.
