Skip to content

Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

A critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress has been exploited by hackers to take over any user account, including those belonging to administrators. The attacks were detected by WordPress security firm Defiant, whose Wordfence firewall blocked over 222 attempts against its customers in the past 24 hours.

The issue was introduced in a recent major release, version 6.0.0, and affects plugin versions up to 6.0.6, which are used by nearly 40% of the plugin’s userbase, according to download statistics from WordPress.org. The vulnerability allows unauthenticated attackers to generate password reset links for any user registered on the site to email addresses under their control, easily hijacking them.

Once an attacker gains admin-level access, they could install malicious plugins, modify website content, deploy web shells or persistent backdoors, and access private databases. The flaw was discovered by security researcher CHOIGYENGMIN, who reported it to Wordfence on May 4, 2026.

The company notified the vendor on May 16 and released a fix with version 6.0.7 on May 18, 2026. Given the active exploitation status of CVE-2026-8206 and the very low requirements for launching attacks, it is critical that website owners/administrators upgrade to version 6.0.7 or disable the plugin.

### Impact of the Vulnerability

The Kirki plugin, which is a freeform visual builder and advanced theme customizer active on more than 500,000 websites, has been impacted by this vulnerability. The issue was introduced in a recent major release, version 6.0.0, and affects plugin versions up to 6.0.6, which are used by nearly 40% of the plugin’s userbase.

### How the Vulnerability Works

The flaw stems from the plugin accepting an arbitrary email address during password reset requests. When a username is provided, the plugin generates a valid password reset link for the associated account, but sends it to the attacker-supplied email address rather than the account owner’s registered email address.

This behavior makes it trivial for unauthenticated attackers to generate password reset links for any user registered on the site to email addresses under their control, easily hijacking them. Once an attacker gains admin-level access, they could install malicious plugins, modify website content, deploy web shells or persistent backdoors, and access private databases.

### What You Can Do to Protect Yourself

Given the active exploitation status of CVE-2026-8206 and the very low requirements for launching attacks, it is critical that website owners/administrators upgrade to version 6.0.7 or disable the plugin. This will prevent attackers from exploiting the vulnerability and gaining admin-level access to your site.

### Conclusion

The Kirki flaw is a critical vulnerability that has been exploited by hackers to hijack WordPress admin accounts. It is essential that website owners/administrators take immediate action to protect themselves and their sites. Upgrading to version 6.0.7 or disabling the plugin will prevent attackers from exploiting the vulnerability and gaining access to your site.

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *