CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 03, 2026

WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks

Cybersecurity News Archived Jun 03, 2026 ✓ Full text saved

A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions. Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. The issue […] The post WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks appeared first on Cy

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks By Abinaya June 3, 2026 A critical security flaw in the widely used Kirki WordPress plugin has exposed over 500,000 websites to potential account takeover attacks, with researchers warning that approximately 150,000 sites are actively vulnerable due to affected versions. Tracked as CVE-2026-8206 with a CVSS score of 9.8, the vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. The issue allows unauthenticated attackers to escalate privileges by abusing a flawed password reset mechanism, ultimately enabling full compromise of administrator accounts. The vulnerability was discovered by security researcher Choigyeongmin and reported through the Wordfence Bug Bounty Program, earning a reward of $6,436. Wordfence validated the issue on May 8, 2026, and quickly deployed firewall protections for premium users on May 9, ahead of public disclosure. WordPress Plugin Vulnerability Exposes Websites Kirki, a popular plugin used for WordPress customizer enhancements and page building, exposes a REST API endpoint responsible for handling password reset requests. The vulnerability exists in the handle_forgot_password() function, where user input is improperly trusted during the reset process. In a secure implementation, a password reset request should send a reset link only to the email address associated with the targeted user account. However, in the vulnerable versions, the plugin accepts both username and email parameters without verifying their relationship. When a valid username is supplied, the plugin correctly identifies the user account. However, it continues to use the attacker-controlled email address provided in the request. Attack path and Wordfence firewall blocking exploitation attempts(source: Wordfence) This logic flaw enables a straightforward exploitation scenario. An attacker submits a password reset request with a legitimate username, such as an administrator, alongside an arbitrary email address they control. The plugin then generates a valid reset token and sends it to the attacker’s email instead of the legitimate user’s. Using the reset link, the attacker can set a new password and gain unauthorized access to the account. Successful exploitation can lead to complete site compromise. Attackers may install malicious plugins, inject backdoors, create rogue administrator accounts, or deploy persistent webshells, aligning with common post-exploitation techniques mapped to privilege escalation and persistence tactics. Wordfence reported the flaw to Themeum on May 15, 2026, and a patch was released in version 6.0.7 just three days later. Mitigation is straightforward but urgent. Website administrators are strongly advised to update the Kirki plugin to version 6.0.7 or later immediately. Additional protections are available through Wordfence firewall rules, with premium users already protected and free users scheduled to receive coverage on June 8, 2026. Given the ease of exploitation and high impact, this vulnerability represents a significant risk to WordPress environments, particularly those with exposed user enumeration or publicly accessible login functionality. Prompt patching and monitoring for suspicious password reset activity are essential to prevent compromise. Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Malicious Websites Track Visitors by Analyzing their SSD Timing Activity Google Patches 151 Vulnerabilities in Chrome, Including 22 Critical Ones Critical WP Maps Pro Vulnerability Allow Attackers to Create Administrator Account Pentest Swarm AI Tool With Live Access to nmap, sqlmap, Burp, Metasploit, and Others Critical Notepad++ Vulnerabilities Allow Attackers to Execute Arbitrary Code Latest News Apache Critical Apache ActiveMQ Vulnerability Allows Malicious Security Header Injections Cyber Security News Ivanti ITSM Vulnerability Lets Attackers Gain Admin Privilege Cyber Security News Laravel CRLF Injection Vulnerability Enables an Attacker to Interfere with Outbound Email Processing Cyber Security News Hackers Use YouTube and SEO Poisoning to Spread WeedHack Minecraft Malware Cyber Security News Microsoft 365 Android Apps Account Takeover Vulnerability Impacted Billions of Android Users
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 03, 2026
    Archived
    Jun 03, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗