Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient validation of file paths in the downloadZIP routine, allowing the construction of file names that reference any file within the WordPress uploads directory. An attacker can read file contents and delete files without authentication, potentially destroying site data, exposing sensitive files, or facilitating further attacks. The weakness is a Path Traversal flaw (CWE-23).

Affected Systems

Kirki – Freeform Page Builder, Website Builder & Customizer, versions 6.0.6 and earlier.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. EPSS is not available, so the exact likelihood of exploitation in the wild is uncertain, but the lack of authentication and file system constraints make exploitation relatively straightforward for an attacker with network access to the WordPress instance. The vulnerability is not listed in the CISA KEV catalog, yet its impact on data integrity and availability warrants prompt action. Based on the description, it is inferred that the attack vector is over the network via HTTP requests to the affected plugin endpoint; authentication checks are missing, so any visitor can exploit the flaw.

Generated by OpenCVE AI on May 19, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Kirki to the latest version (6.0.7 or later) where the downloadZIP path validation and capability checks have been fixed.
  • If an immediate update is not possible, temporarily disable the downloadZIP endpoint or restrict access to authenticated administrators only, for example by adding a capability check in the plugin files.
  • Configure the web server’s file permissions so that the WordPress uploads directory is not world‑writable and is protected from direct read/write access by the application user.

Generated by OpenCVE AI on May 19, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum kirki – Freeform Page Builder, Website Builder & Customizer
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum kirki – Freeform Page Builder, Website Builder & Customizer
Wordpress
Wordpress wordpress

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
Title Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP
Weaknesses CWE-23
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themeum Kirki – Freeform Page Builder, Website Builder & Customizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-19T20:01:00.455Z

Reserved: 2026-05-07T09:46:46.353Z

Link: CVE-2026-8073

cve-icon Vulnrichment

Updated: 2026-05-19T20:00:32.657Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T19:16:51.577

Modified: 2026-05-19T21:00:47.093

Link: CVE-2026-8073

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:07Z

Weaknesses