Find notable cyber news and cases, enriched with sources, timelines, and signals.

The vendor security patch release for CVE-2026-8206

Security Patch Release
First reported
Last updated
Happening score
H score 89
1 unique sources, 1 articles

Summary

Hide ▲

Kirki - Freeform Page Builder, Website Builder & Customizer shipped version 6.0.7 to fix CVE-2026-8206, a privilege-escalation flaw that could let attackers take over user accounts on affected WordPress sites. The release covered plugin versions 6.0.0 through 6.0.6, which were still present across a large installed base. Administrators were told to upgrade immediately or disable the plugin until patched systems were in place.

Related Happenings

Gravity SMTP security patch release for CVE-2026-4020

Security Patch Release
H score16 First: 20.06.2026 12:56 Last: 20.06.2026 12:56 Sources 1

About this happening: Gravity SMTP released version 2.1.5 to fix CVE-2026-4020, closing a medium-severity information disclosure flaw in the WordPress plugin. The patch addresses a bug...

Everest Forms Pro plugin patch for CVE-2026-3300

Security Patch Release
H score43 First: 06.06.2026 17:09 Last: 06.06.2026 17:09 Sources 1

About this happening: The Everest Forms developer released a patch for CVE-2026-3300 in Everest Forms Pro on March 18, closing an unauthenticated arbitrary code execution flaw affec...

WP Maps Pro 6.1.1 security patch for CVE-2026-8732

Security Patch Release
H score49 First: 31.05.2026 17:06 Last: 31.05.2026 17:06 Sources 1

About this happening: WP Maps Pro 6.1.1 was released to fix CVE-2026-8732, giving WordPress administrators a patch for a flaw that enabled unauthenticated administrator-account creation. Th...

LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)

Security Patch Release
H score42 First: 27.05.2026 13:06 Last: 27.05.2026 13:06 Sources 1

About this happening: LiteSpeed released urgent security updates for the cPanel user-end plugin after CVE-2026-48172 was found to be actively exploited, reducing exposure for systems ru...

Latest development: 16.06.2026 13:47

CISA added CVE-2026-48172/CVE-2026-54420 in the LiteSpeed cPanel user-end plugin to the Known Exploited Vulnerabilities Catalog and ordered Federal Civilian Executive Branch agencies to secure affected servers within three days under BOD 26-04. The affected plugin versions before 2.4.8 are described as actively exploited, with FTP or web shell access enabling root escalation on shared hosting servers running CloudLinux/CageFS.

Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)

Security Patch Release
H score21 First: 15.05.2026 18:56 Last: 15.05.2026 18:56 Sources 1

About this happening: Avada Builder shipped version 3.15.3 as the full fix for CVE-2026-4782 and CVE-2026-4798, closing the plugin flaws that could expose files and database data. A pri...

Timeline

  1. 03.06.2026 01:12 1 articles · 1mo ago

    Security researcher reports CVE-2026-8206 in the Kirki WordPress plugin

    Initial Disclosure

    Security researcher CHOIGYENGMIN reported CVE-2026-8206 to Wordfence on May 4, 2026, describing a privilege-escalation flaw in the Kirki WordPress plugin that could let unauthenticated attackers generate password reset links and hijack accounts.

    Show sources
  2. 03.06.2026 01:12 1 articles · 1mo ago

    Kirki releases version 6.0.7 to fix CVE-2026-8206

    Mitigation Patch Update

    Kirki released version 6.0.7 on May 18, 2026 to fix CVE-2026-8206, which exposed a custom REST API password-reset flow and affected plugin versions 6.0.0 through 6.0.6.

    Show sources
  3. 03.06.2026 01:12 2 articles · 1mo ago

    Wordfence blocks more than 222 Kirki exploit attempts

    Detection Ioc Update

    Defiant's Wordfence firewall blocked over 222 attempted attacks against customer sites during the previous 24 hours, indicating active exploitation of CVE-2026-8206 against WordPress sites using Kirki and exposing administrator account takeover risk.

    Show sources