Kirki privilege escalation flaw actively exploited (CVE-2026-8206)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-8206 in Kirki - Freeform Page Builder, Website Builder & Customizer is being actively exploited to hijack WordPress accounts, including administrator accounts. The flaw affects version 6.0.0 through 6.0.6 and was fixed in 6.0.7. Site owners should upgrade immediately or disable the plugin.
Timeline
-
03.06.2026 01:12 1 articles · 1h ago
CHOIGYENGMIN reports Kirki password-reset flaw to Wordfence
Initial DisclosureSecurity researcher CHOIGYENGMIN reported CVE-2026-8206 in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin to Wordfence on May 4, 2026, identifying a privilege escalation flaw that could let unauthenticated attackers generate password reset links and take over administrator accounts.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
-
03.06.2026 01:12 1 articles · 1h ago
Kirki 6.0.7 fixes CVE-2026-8206
Mitigation Patch UpdateKirki version 6.0.7 was released on May 18, 2026 to fix CVE-2026-8206 in the WordPress plugin, closing the password-reset flaw that let attackers hijack user accounts and prompting administrators to upgrade or disable the plugin.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
-
03.06.2026 01:12 2 articles · 1h ago
Wordfence blocks active Kirki exploitation attempts
Exploitation ObservedDefiant's Wordfence firewall blocked over 222 exploitation attempts against Wordfence customers' WordPress sites in the past 24 hours, indicating active abuse of CVE-2026-8206 against vulnerable Kirki installations to hijack user accounts, including administrator accounts.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12