The vendor security patch release for CVE-2026-8206
Security Patch Release
Summary
Hide ▲
Show ▼
Kirki - Freeform Page Builder, Website Builder & Customizer shipped version 6.0.7 to fix CVE-2026-8206, a privilege-escalation flaw that could let attackers take over user accounts on affected WordPress sites. The release covered plugin versions 6.0.0 through 6.0.6, which were still present across a large installed base. Administrators were told to upgrade immediately or disable the plugin until patched systems were in place.
Related Happenings
Gravity SMTP security patch release for CVE-2026-4020
Security Patch Release
H score16
First: 20.06.2026 12:56
Last: 20.06.2026 12:56
Sources 1
About this happening:
Gravity SMTP released version 2.1.5 to fix CVE-2026-4020, closing a medium-severity information disclosure flaw in the WordPress plugin. The patch addresses a bug...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch ReleaseAbout this happening: Gravity SMTP released version 2.1.5 to fix CVE-2026-4020, closing a medium-severity information disclosure flaw in the WordPress plugin. The patch addresses a bug...
Everest Forms Pro plugin patch for CVE-2026-3300
Security Patch Release
H score43
First: 06.06.2026 17:09
Last: 06.06.2026 17:09
Sources 1
About this happening:
The Everest Forms developer released a patch for CVE-2026-3300 in Everest Forms Pro on March 18, closing an unauthenticated arbitrary code execution flaw affec...
Everest Forms Pro plugin patch for CVE-2026-3300
Security Patch ReleaseAbout this happening: The Everest Forms developer released a patch for CVE-2026-3300 in Everest Forms Pro on March 18, closing an unauthenticated arbitrary code execution flaw affec...
WP Maps Pro 6.1.1 security patch for CVE-2026-8732
Security Patch Release
H score49
First: 31.05.2026 17:06
Last: 31.05.2026 17:06
Sources 1
About this happening:
WP Maps Pro 6.1.1 was released to fix CVE-2026-8732, giving WordPress administrators a patch for a flaw that enabled unauthenticated administrator-account creation. Th...
WP Maps Pro 6.1.1 security patch for CVE-2026-8732
Security Patch ReleaseAbout this happening: WP Maps Pro 6.1.1 was released to fix CVE-2026-8732, giving WordPress administrators a patch for a flaw that enabled unauthenticated administrator-account creation. Th...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
H score42
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released urgent security updates for the cPanel user-end plugin after CVE-2026-48172 was found to be actively exploited, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released urgent security updates for the cPanel user-end plugin after CVE-2026-48172 was found to be actively exploited, reducing exposure for systems ru...
Latest development: 16.06.2026 13:47
CISA added CVE-2026-48172/CVE-2026-54420 in the LiteSpeed cPanel user-end plugin to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within three days under BOD 26-04. The affected plugin versions before 2.4.8 are described as actively exploited, with FTP or web shell access enabling root escalation on shared hosting servers running CloudLinux/CageFS.
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
H score21
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A pri...
Timeline
-
03.06.2026 01:12 1 articles · 1mo ago
Security researcher reports CVE-2026-8206 in the Kirki WordPress plugin
Initial DisclosureSecurity researcher CHOIGYENGMIN reported CVE-2026-8206 to Wordfence on May 4, 2026, describing a privilege-escalation flaw in the Kirki WordPress plugin that could let unauthenticated attackers generate password reset links and hijack accounts.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
-
03.06.2026 01:12 1 articles · 1mo ago
Kirki releases version 6.0.7 to fix CVE-2026-8206
Mitigation Patch UpdateKirki released version 6.0.7 on May 18, 2026 to fix CVE-2026-8206, which exposed a custom REST API password-reset flow and affected plugin versions 6.0.0 through 6.0.6.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
-
03.06.2026 01:12 2 articles · 1mo ago
Wordfence blocks more than 222 Kirki exploit attempts
Detection Ioc UpdateDefiant's Wordfence firewall blocked over 222 attempted attacks against customer sites during the previous 24 hours, indicating active exploitation of CVE-2026-8206 against WordPress sites using Kirki and exposing administrator account takeover risk.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12