VulnerabilityBleeping Computer
9.8 — CRITICAL
Critical Kirki flaw exploited to hijack WordPress admin accounts
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]
🤖 AI BriefingAuto-generated threat analysis
🔍Threat Overview
A critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress allows attackers to hijack any user account, including administrators, by exploiting a password reset link sent to an arbitrary email address.
⚙️Technical Details
Affected Systems
Kirki plugin for WordPress versions 6.0.0 to 6.0.6
💥Impact Assessment
Severity: Critical
Who Is at Risk
Website owners/administrators using Kirki plugin for WordPress versions 6.0.0 to 6.0.6
🛡️Recommended Actions
1Upgrade to version 6.0.7 or later of the Kirki plugin
2Disable the Kirki plugin until a fix is available
3Monitor for suspicious activity and implement additional security measures
📦Affected Products
Product Name: Kirki plugin for WordPressVersion Range: 6.0.0 to 6.0.6
🔐NVD Verified DataVERIFIED
CVE-2026-8206 ↗CVSS 9.8 — CRITICAL
Attack Vector
NETWORK
Complexity
LOW
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWeaknesses
CWE-269
Read the full article
This is a curated summary. The complete article is available at Bleeping Computer.