CVE-2026-8206 - Vulnerability Details

- Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

Description

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Published: 2026-06-02

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation through an unchecked password reset mechanism. The flaw allows an unauthenticated attacker to supply any email address while requesting a password reset for any username on the site. This results in a reset link being sent to the attacker's address, effectively granting them control over the target account and elevating privileges to that user level.

Affected Systems

All installations of the Kirki plugin released by themeum, versions 6.0.0 through 6.0.6 on WordPress sites are affected. The flaw resides in the plugin’s "handle_forgot_password" functionality and does not impact other WordPress components or plugins.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog. The attack vector is purely unauthenticated; an attacker needs only a target username and can specify any email address in the reset request. The plugin then sends a password‑reset link to that supplied address, giving the attacker control of the user account and elevating privileges to that role.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

themeum

Kirki – Freeform Page Builder, Website Builder & Customizer

unaffected

Version	Status	Constraints
`6.0.0`	affected	≤ 6.0.6

No data.

Vendor Product Confidence Versions

Themeum

Kirki – Freeform Page Builder, Website Builder & Customizer

100%

Version	Status	Scheme	Platform
`[6.0.0,6.0.6]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Kirki plugin to the latest patch version (≥ 6.0.7) from the vendor or the official plugin repository.
If an upgrade is not immediately possible, consider disabling the password‑reset functionality for unauthenticated users or limiting it to verified email addresses through a security plugin or custom code.
Implement an additional check that verifies the email address matches the account’s registered email before sending a reset link; this aligns with preventing privilege escalation as described by CWE‑269.

Generated by OpenCVE AI on June 2, 2026 at 05:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00623.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L330
https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L48
https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/ElementGenerator.php#L227
https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L330
https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L48
https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/ElementGenerator.php#L227
https://plugins.trac.wordpress.org/changeset/3530843/kirki
https://www.wordfence.com/threat-intel/vulnerabilities/id/3b5630bd-5bce-4226-959f-5e81ae69b799?source=cve

History

Tue, 02 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 05:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Themeum Themeum kirki – Freeform Page Builder, Website Builder & Customizer Wordpress Wordpress wordpress
Vendors & Products		Themeum Themeum kirki – Freeform Page Builder, Website Builder & Customizer Wordpress Wordpress wordpress

Tue, 02 Jun 2026 03:45:00 +0000

Type	Values Removed	Values Added
Description		The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Title		Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
Weaknesses		CWE-269
References		https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L330 https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/CompLibFormHandler.php#L48 https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.4/ComponentLibrary/controller/ElementGenerator.php#L227 https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L330 https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/CompLibFormHandler.php#L48 https://plugins.trac.wordpress.org/browser/kirki/trunk/ComponentLibrary/controller/ElementGenerator.php#L227 https://plugins.trac.wordpress.org/changeset/3530843/kirki https://www.wordfence.com/threat-intel/vulnerabilities/id/3b5630bd-5bce-4226-959f-5e81ae69b799?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Themeum Kirki – Freeform Page Builder, Website Builder & Customizer

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-02T03:28:49.326Z

Updated: 2026-06-02T10:47:47.685Z

Reserved: 2026-05-09T01:00:17.472Z

Link: CVE-2026-8206

Vulnrichment

Updated: 2026-06-02T10:47:43.141Z

NVD

Status : Deferred

Published: 2026-06-02T04:17:03.550

Modified: 2026-06-02T13:03:31.153

Link: CVE-2026-8206

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T05:30:36Z

Weaknesses

CWE-269
Improper Privilege Management

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object