The vendor security patch release for CVE-2026-8206
Security Patch Release
Summary
Hide ▲
Show ▼
Kirki - Freeform Page Builder, Website Builder & Customizer shipped version 6.0.7 to fix CVE-2026-8206, a privilege-escalation flaw that could let attackers take over user accounts on affected WordPress sites. The release covered plugin versions 6.0.0 through 6.0.6, which were still present across a large installed base. Administrators were told to upgrade immediately or disable the plugin until patched systems were in place.
Related Happenings
WP Maps Pro 6.1.1 security patch for CVE-2026-8732
Security Patch Release
First: 31.05.2026 17:06
Last: 31.05.2026 17:06
Sources 1
About this happening:
**WP Maps Pro 6.1.1** was released to fix **CVE-2026-8732**, giving WordPress administrators a patch for a flaw that enabled **unauthenticated administrator-account creation**. Th...
WP Maps Pro 6.1.1 security patch for CVE-2026-8732
Security Patch ReleaseAbout this happening: **WP Maps Pro 6.1.1** was released to fix **CVE-2026-8732**, giving WordPress administrators a patch for a flaw that enabled **unauthenticated administrator-account creation**. Th...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
CPanel security patch release for CVE-2026-29201
Security Patch Release
First: 09.05.2026 10:16
Last: 09.05.2026 10:16
Sources 1
About this happening:
**cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-29201
Security Patch ReleaseAbout this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-41940
Security Patch Release
First: 29.04.2026 12:37
Last: 29.04.2026 12:37
Sources 1
About this happening:
**cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...
CPanel security patch release for CVE-2026-41940
Security Patch ReleaseAbout this happening: **cPanel** released **security updates** for **cPanel and WHM** after an **authentication bypass** flaw could let remote attackers reach control-panel access, with fixes now cover...
Latest development: 04.05.2026 22:14
CVE-2026-41940 in cPanel, WebHost Manager (WHM), and WP Squared was rapidly exploited after public disclosure, with Censys reporting attacks from multiple threat actors within 24 hours and about 15,000 potentially compromised instances in the first day. KnownHost said about 30 managed cPanel servers showed attempted exploitation, WatchTowr Labs published a PoC exploit and technical analysis, and Defused said much of the observed activity copied WatchTowr's PoC exactly.
Timeline
-
03.06.2026 01:12 1 articles · 1h ago
Security researcher reports CVE-2026-8206 in the Kirki WordPress plugin
Initial DisclosureSecurity researcher CHOIGYENGMIN reported CVE-2026-8206 to Wordfence on May 4, 2026, describing a privilege-escalation flaw in the Kirki WordPress plugin that could let unauthenticated attackers generate password reset links and hijack accounts.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
-
03.06.2026 01:12 1 articles · 1h ago
Kirki releases version 6.0.7 to fix CVE-2026-8206
Mitigation Patch UpdateKirki released version 6.0.7 on May 18, 2026 to fix CVE-2026-8206, which exposed a custom REST API password-reset flow and affected plugin versions 6.0.0 through 6.0.6.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
-
03.06.2026 01:12 2 articles · 1h ago
Wordfence blocks more than 222 Kirki exploit attempts
Detection Ioc UpdateDefiant's Wordfence firewall blocked over 222 attempted attacks against customer sites during the previous 24 hours, indicating active exploitation of CVE-2026-8206 against WordPress sites using Kirki and exposing administrator account takeover risk.
Show sources
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12
- Critical Kirki flaw exploited to hijack WordPress admin accounts — www.bleepingcomputer.com — 03.06.2026 01:12