Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Kirki plugin arises from a missing authorization check on the 'kirki_wp_admin_get_apis' action. All plugin versions up to 6.0.6 allow any authenticated user with subscriber-level privileges or higher to trigger this action and retrieve the list of front-end form objects. By exploiting the flaw an attacker can view all forms built with Kirki and read the stored form submission data, which may contain personal contact details, messages, and other visitor-provided information. This flaw is identified as CWE-862, Missing Authorization.

Affected Systems

The affected product is the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin distributed by themeum. Every release from the initial public version through 6.0.6 is impacted, affecting any WordPress site that has installed these versions and has user accounts with subscriber roles or higher.

Risk and Exploitability

The CVSS score of 6.5 classifies the issue as medium risk, reflecting moderate potential impact coupled with the requirement of legitimate authentication. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed widespread exploitation yet. The attack surface is confined to the WordPress administrative interface, so an attacker must possess authenticated credentials with at least subscriber privileges. In the absence of a public exploit, the threat remains theoretical, but the ability to access sensitive form content warrants immediate attention.

Generated by OpenCVE AI on May 19, 2026 at 20:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Kirki plugin to a version newer than 6.0.6 where the authorization check has been added.
  • If an immediate update is not feasible, remove or restrict the 'kirki_wp_admin_get_apis' action for non-admin roles by adding a capability check or disabling the action via custom code.
  • Review and apply proper access controls to all sensitive form data, ensuring only authorized users can view or download stored submissions.
  • Monitor user activity for suspicious attempts to access form submissions and consider deploying security monitoring or WAF rules.

Generated by OpenCVE AI on May 19, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Themeum
Themeum kirki – Freeform Page Builder, Website Builder & Customizer
Wordpress
Wordpress wordpress
Vendors & Products Themeum
Themeum kirki – Freeform Page Builder, Website Builder & Customizer
Wordpress
Wordpress wordpress

Tue, 19 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
Title Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Themeum Kirki – Freeform Page Builder, Website Builder & Customizer
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-19T19:35:37.550Z

Reserved: 2026-05-07T13:14:53.291Z

Link: CVE-2026-8096

cve-icon Vulnrichment

Updated: 2026-05-19T19:35:32.017Z

cve-icon NVD

Status : Deferred

Published: 2026-05-19T19:16:51.743

Modified: 2026-05-19T21:00:47.093

Link: CVE-2026-8096

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:39:08Z

Weaknesses