Kirki CVE-2026-8206: WordPress Admin Takeover Flaw Is Exploited

Kirki CVE-2026-8206 is now an active WordPress account-takeover risk, not just a routine plugin update. The flaw affects Kirki – Freeform Page Builder, Website Builder & Customizer versions 6.0.0 through 6.0.6 and lets an unauthenticated attacker route a password reset link for a real user to an attacker-controlled email address.^[1]

NVD lists the issue as critical, with a CVSS 3.1 score of 9.8 and the network/no-authentication/no-user-interaction vector that site owners hate to see.^[1] BleepingComputer reported on June 2 that attackers are already exploiting the bug to hijack WordPress administrator accounts, citing Wordfence/Defiant telemetry that blocked more than 222 attempts in a 24-hour period.^[2]

The immediate fix is simple: update Kirki to 6.0.7 or later. WordPress.org currently lists Kirki 6.0.9 as the stable version and shows more than 500,000 active installations, which means the vulnerable 6.0 branch is not a niche edge case.^[3] If your theme bundled Kirki or a maintainer pinned plugin updates, check the installed version directly instead of assuming automatic updates already handled it.

What WordPress admins should check now

Kirki’s risk is quieter than a visible rogue-account creation bug. In the recent WP Maps Pro admin takeover case, administrators could look for newly created high-privilege users. With Kirki, the attacker targets an existing username and abuses the password reset flow, so the first signs may be password reset emails, login events, or account changes that look legitimate at a glance.

Start with version inventory. Any site running Kirki 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, or 6.0.6 should be treated as exposed until updated and reviewed. Sites already on 6.0.7 or later are patched for this specific flaw, but if the site was public while vulnerable, do not stop at the update button.

Review administrator accounts, recent password reset events, new sessions, suspicious profile email changes, and unexpected plugins or theme edits. If an admin account may have been taken over, reset credentials, rotate application passwords and API keys, and check server-side files for webshells or injected JavaScript. Similar WordPress plugin incidents, including Elementor Pro exploitation and Essential Addons compromise risk, show why account access can quickly become malware delivery, redirects, or SEO spam.

The practical rule is short: patch Kirki first, then audit as if a password reset may already have been stolen. A vulnerable password-reset endpoint is an identity problem, not merely a page-builder problem.

References

1. National Vulnerability Database. “CVE-2026-8206 Detail.” Published June 2, 2026. https://nvd.nist.gov/vuln/detail/CVE-2026-8206
2. BleepingComputer. “Critical Kirki flaw exploited to hijack WordPress admin accounts.” June 2, 2026. https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/amp/
3. WordPress.org Plugin Directory API. “Kirki – Freeform Page Builder, Website Builder & Customizer.” Accessed June 4, 2026. https://wordpress.org/plugins/kirki/
4. WordPress.org Trac. “Changeset 3530843: Kirki.” https://plugins.trac.wordpress.org/changeset/3530843/kirki