Description
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.
Published: 2026-06-26
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a subscriber Server Side Request Forgery (SSRF) in the Kirki WordPress plugin, versions 6.0.11 or earlier. It grants an attacker the ability to cause the affected web server to send HTTP requests to arbitrary internal or external endpoints. This can expose sensitive data, trigger privileged operations, or be used to pivot to other systems on the network. The flaw is classified as CWE‑918, indicating a lack of proper URL validation.

Affected Systems

WordPress users running the Themeum Kirki plugin through version 6.0.11 or earlier are affected. No additional product or vendor details are specified beyond the plugin name and version threshold.

Risk and Exploitability

The CVSS score of 4.9 points to a moderate risk profile. The EPSS score is not available, indicating no publicly documented exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Likely attack vectors involve an authenticated or unauthenticated user interacting with the plugin’s input fields to supply crafted URLs, causing the server to resolve them internally. The exploit does not appear to require elevated privileges beyond normal user access to the repository where the plugin processes input.

Generated by OpenCVE AI on June 26, 2026 at 16:57 UTC.

Remediation

Vendor Solution

Update the WordPress Kirki Plugin to the latest available version (at least 6.0.12).

OpenCVE Recommended Actions

  • Update the WordPress Kirki Plugin to version 6.0.12 or later.
  • If an immediate update is not possible, configure firewall rules to block outbound traffic originating from the WordPress environment to disallowed or internal addresses, limiting the plugin’s ability to issue SSRF requests.
  • Implement input‑validation controls in the plugin configuration to reject non‑HTTPS or disallowed domain URLs, following CWE‑918 best practices.

Generated by OpenCVE AI on June 26, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.
Title WordPress Kirki plugin <= 6.0.11 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T15:32:40.338Z

Reserved: 2026-06-25T08:03:10.450Z

Link: CVE-2026-57627

cve-icon Vulnrichment

Updated: 2026-06-26T15:32:37.596Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)