Vulnerability detail
Enriched intelligence for a single CVE
Critical
CVE-2026-8206
PUBLISHEDKirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
Not yet in CISA KEV
- Vendor
- themeum
- Product
- Kirki – Freeform Page Builder, Website Builder & Customizer
- Published
- Jun 02, 2026
- EPSS
- 0.2% · 36% pctl
Automate this intelligence with the Pro API
Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.
Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Weaknesses (CWE)
-
Improper Privilege Management
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2026-06-03 08:20:49 UTC · BleepingComputer
Proof of concept available
Recorded 2026-06-05 09:59:45 UTC · GitHub
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3b5630bd-5bce-4226-959f-5e81ae69b799?source=cve
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L330
- https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L330
- https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L48
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L48
- https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/ElementGenerator.php#L227
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/ElementGenerator.php#L227
- https://plugins.trac.wordpress.org/changeset/3530843/kirki
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| BleepingComputer First | 2026-06-03 08:20 UTC |
Recent mentions
BleepingComputer · Jun 02, 2026
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]
Potential proof of concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2026-06-05 09:59:45 UTC · 0 stars
github · Created 2026-06-02 10:53:31 UTC · 2 stars
Mass exploitation tool for CVE-2026-8206 – Unauthenticated Privilege Escalation via 'handle_forgot_password' in Kirki WordPress plugin (≤6.0.6).
Timeline
-
Proof of Concept Exploit Available
-
Added to KEVIntel
-
CVE Published to Public
-
CVE ID Reserved