Kirki Plugin Vulnerability: 150K WordPress Sites Face Critical 9.8 CVSS Privilege Escalation in the Wild

An active cyber threat is targeting thousands of website environments globally. Specifically, a critical Kirki plugin vulnerability exposes web infrastructure to severe malicious attacks. This high-severity flaw affects a popular frontend page building extension. Threat actors are currently exploiting this flaw in the wild to hijack administrative accounts. Consequently, administrators must apply the latest software updates immediately to protect their database records.

Understanding the Unauthenticated Privilege Escalation

The security flaw, tracked as CVE-2026-8206, carries an alarming CVSS severity score of 9.8. This defect enables an unauthenticated privilege escalation on vulnerable digital platforms. Although the extension boasts over 500,000 active installations, the risk applies to a specific subset. Researchers estimate that “only around 150,000 sites are using a vulnerable version, as the issue was introduced in the 6.0 major release”. Therefore, checking your active software version is highly critical for system safety.

Technical Analysis of the REST API Flaw

The Logic Flaw in Password Resets

The primary engineering issue resides within the frontend account management features. Specifically, the plugin exposes a custom REST API endpoint to process forgot password requests. Examining the source code reveals that the application utilizes the handle_forgot_password() function in the CompLibFormHandler class. This function accepts both a username parameter and a target email address from the incoming request body. However, a critical logic flaw completely undermines this verification pipeline.

Executing a WordPress Account Takeover

The software correctly identifies the targeted user account by matching the provided username. Unfortunately, “instead of using the email address associated with that account, it continues to use the email address supplied in the request”. As a result, a remote adversary can easily initiate a dangerous WordPress account takeover. An unauthenticated attacker simply submits a high-privilege username alongside an external inbox address. Consequently, the system generates a valid password reset key and delivers it straight to the criminal.

“Using the reset link, the attacker can set a new password and gain full control of the account”. Furthermore, this unauthorized administrative access allows attackers to install malicious plugins or modify site content. Adversaries can also deploy hidden web shells for persistent long-term access. Thus, a simple coding mistake escalates directly into a total site compromise.

Active Exploitation and Defense Responses

Security defenders must treat this Kirki plugin vulnerability as an immediate threat to operational integrity. For instance, threat intelligence telemetry confirms that malicious groups are actively weaponizing this defect. Wordfence reported that its firewall systems “blocked 59 attacks targeting this vulnerability in the past 24 hours”. This rapid exploitation highlights the immense risk facing unpatched corporate websites. Fortunately, a security researcher named CHOIGYEONGMIN responsibly disclosed the issue through a bug bounty program, earning a reward of $6,436.

Recommended Remediation Steps

To secure your digital assets, you must apply the official vendor updates immediately. Management teams must upgrade their systems to version 6.0.7 or later to close the exploit path. Additionally, web masters should audit their user registries for unauthorized administrator profiles. Implementing robust web application firewalls can also block incoming malicious API requests effectively. Ultimately, maintaining strict software patch hygiene remains your absolute best line of defense against modern web threats.