Vulnerability intelligence
CVE-2026-8206
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
CVSS Score
9.8
Critical
EPSS — Exploit Probability
0.2%
Riskier than 36% of all CVEs
Exploitation
Not in CISA KEV
No federal exploitation record
Remediation
unknown
Check vendor advisories
2 articles across 2 outlets · first covered Jun 2, 2026 · latest Jun 3, 2026
Coverage timeline
-
Critical Kirki plugin flaw lets hackers hijack admin accountswww.securityweek.com · Jun 3, 2026
-
CVE-2026-8206: Kirki flaw lets attackers hijack WordPress adminssecurityonline.info · Jun 2, 2026