Critical WordPress Plugin Flaw Exposes 50 Vulnerability Websites

A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks. Researchers warn that approximately 150,000 of these sites are actively vulnerable due to running affected versions.

Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6.

The issue allows unauthenticated attackers to escalate privileges by abusing a flawed password reset mechanism, ultimately enabling full compromise of administrator accounts.

The vulnerability was discovered by security researcher Choigyeongmin and reported through the Wordfence Bug Bounty Program, earning a reward of $6,436.

Wordfence validated the issue on May 8, 2026, and quickly deployed firewall protections for premium users on May 9, ahead of public disclosure.

WordPress Plugin Vulnerability Exposes Websites

Kirki, a popular plugin used for WordPress customizer enhancements and page building, exposes a REST API endpoint responsible for handling password reset requests.

The vulnerability exists in the handle_forgot_password() function, where user input is improperly trusted during the reset process.

In a secure implementation, a password reset request should send a reset link only to the email address associated with the targeted user account.

However, in the vulnerable versions, the plugin accepts both username and email parameters without verifying their relationship.

When a valid username is supplied, the plugin correctly identifies the user account. However, it continues to use the attacker-controlled email address provided in the request.

This logic flaw enables a straightforward exploitation scenario. An attacker submits a password reset request with a legitimate username, such as an administrator, alongside an arbitrary email address they control.

The plugin then generates a valid reset token and sends it to the attacker’s email instead of the legitimate user’s.

Using the reset link, the attacker can set a new password and gain unauthorized access to the account. Successful exploitation can lead to complete site compromise.

Attackers may install malicious plugins, inject backdoors, create rogue administrator accounts, or deploy persistent webshells, aligning with common post-exploitation techniques mapped to privilege escalation and persistence tactics.

Wordfence reported the flaw to Themeum on May 15, 2026, and a patch was released in version 6.0.7 just three days later.

Mitigation is straightforward but urgent. Website administrators are strongly advised to update the Kirki plugin to version 6.0.7 or later immediately.

Additional protections are available through Wordfence firewall rules, with premium users already protected and free users scheduled to receive coverage on June 8, 2026.

Given the ease of exploitation and high impact, this vulnerability represents a significant risk to WordPress environments, particularly those with exposed user enumeration or publicly accessible login functionality. Prompt patching and monitoring for suspicious password reset activity are essential to prevent compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.