CVE-2026-8206: Kirki flaw lets attackers hijack WordPress admins

A critical vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress has been identified, allowing unauthenticated privilege escalation with a CVSS score of 9.8. This flaw can lead to account takeovers, affecting approximately 150,000 out of over 500,000 active installations. Attackers exploit a logic flaw in the password reset process, allowing them to hijack admin accounts by manipulating email parameters. Prompt updates to version 6.0.7 or later are essential to mitigate this risk. Security measures include auditing user registries and implementing web application firewalls.