WordPress Kirki plugin vulnerability allows account takeover

Hackers are actively exploiting a critical privilege escalation vulnerability in the popular WordPress Kirki plugin, allowing them to take over any user account, including administrator accounts. The vulnerability, identified as CVE-2026-8206, has seen over 222 exploitation attempts blocked by the Wordfence firewall in a 24-hour period, based on information published by Bleeping Computer.

The vulnerability, present in Kirki versions 6.0.0 through 6.0.6, stems from an unauthenticated REST API endpoint that allows attackers to reset any user's password. By providing an arbitrary email address during a password reset request, attackers can redirect the reset link to an email address they control, effectively hijacking the account. This plugin is active on over 500,000 websites.

Once an attacker gains administrative access, they can install malicious plugins, alter website content, deploy web shells, or access private databases. The flaw was reported to Wordfence on May 4, 2026, and a fix was released in version 6.0.7 on May 18, 2026. Website owners are strongly advised to update to version 6.0.7 or disable the plugin immediately due to the active exploitation.

Source: Bleeping Computer