WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks
Cybersecurity NewsArchived Jun 03, 2026✓ Full text saved
A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions. Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. The issue […] The post WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks appeared first on Cy
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks
By Abinaya
June 3, 2026
A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions.
Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6.
The issue allows unauthenticated attackers to escalate privileges by abusing a flawed password reset mechanism, ultimately enabling full compromise of administrator accounts.
The vulnerability was discovered by security researcher Choigyeongmin and reported through the Wordfence Bug Bounty Program, earning a reward of $6,436.
Wordfence validated the issue on May 8, 2026, and quickly deployed firewall protections for premium users on May 9, ahead of public disclosure.
WordPress Plugin Vulnerability Exposes Websites
Kirki, a popular plugin used for WordPress customizer enhancements and page building, exposes a REST API endpoint responsible for handling password reset requests.
The vulnerability exists in the handle_forgot_password() function, where user input is improperly trusted during the reset process.
In a secure implementation, a password reset request should send a reset link only to the email address associated with the targeted user account.
However, in the vulnerable versions, the plugin accepts both username and email parameters without verifying their relationship.
When a valid username is supplied, the plugin correctly identifies the user account. However, it continues to use the attacker-controlled email address provided in the request.
Attack path and Wordfence firewall blocking exploitation attempts(source: Wordfence)
This logic flaw enables a straightforward exploitation scenario. An attacker submits a password reset request with a legitimate username, such as an administrator, alongside an arbitrary email address they control.
The plugin then generates a valid reset token and sends it to the attacker’s email instead of the legitimate user’s.
Using the reset link, the attacker can set a new password and gain unauthorized access to the account. Successful exploitation can lead to complete site compromise.
Attackers may install malicious plugins, inject backdoors, create rogue administrator accounts, or deploy persistent webshells, aligning with common post-exploitation techniques mapped to privilege escalation and persistence tactics.
Wordfence reported the flaw to Themeum on May 15, 2026, and a patch was released in version 6.0.7 just three days later.
Mitigation is straightforward but urgent. Website administrators are strongly advised to update the Kirki plugin to version 6.0.7 or later immediately.
Additional protections are available through Wordfence firewall rules, with premium users already protected and free users scheduled to receive coverage on June 8, 2026.
Given the ease of exploitation and high impact, this vulnerability represents a significant risk to WordPress environments, particularly those with exposed user enumeration or publicly accessible login functionality. Prompt patching and monitoring for suspicious password reset activity are essential to prevent compromise.
Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
Malicious Websites Track Visitors by Analyzing their SSD Timing Activity
Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones
Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account
Pentest Swarm AI Tool With Live Access to nmap, sqlmap, Burp, Metasploit, and Others
Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code
Latest News
Apache
Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections
Cyber Security News
Ivanti ITSM Vulnerability Lets Attackers Gain Admin Privilege
Cyber Security News
Laravel CRLF Injection Vulnerability Enables an Attacker to Interfere with Outbound Email Processing
Cyber Security News
Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware
Cyber Security News
Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users