← Back to Vulnerability Reports CVE Intelligence

CVE-2026-8206

WordPress Kirki PluginCRITICAL · CVSS 9.8No exploitation reported

What is CVE-2026-8206?

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

CVSS9.8 NVD 3.1
SeverityCRITICAL
ExploitationNo exploitation reported
EPSS<1% · P30
Triage statusNo Known Exploit
ActionPatch within 48 hours
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
NVD published2026-06-02
NVD last modified2026-06-02

Affected product

WordPress Kirki Plugin

Remediation Steps

  1. Apply the vendor security update for WordPress Kirki Plugin as a priority.
  2. Restrict network exposure of the affected service to trusted sources until patched.
  3. Review logs and detections for indicators of exploitation.
  4. Confirm fixed versions against the official vendor advisory before deploying.

References

Coverage on defend.network

🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.

Get Critical CVE Alerts

Subscribe free and hear about actively exploited CVEs like this one first.