Critical Vulnerability in Kirki Plugin Threatens Over 500,000 WordPress Sites
A severe security flaw has been identified in the Kirki WordPress plugin, a tool widely utilized for enhancing the WordPress Customizer and streamlining theme development. This vulnerability, cataloged as CVE-2026-8206 with a critical CVSS score of 9.8, affects versions 6.0.0 through 6.0.6 of the plugin. It enables unauthenticated attackers to escalate privileges by exploiting a defective password reset mechanism, potentially leading to full administrative control over affected websites.
Understanding the Vulnerability
The core issue resides in the plugin’s handling of password reset requests via its REST API endpoint. Specifically, the `handle_forgot_password()` function fails to adequately verify the relationship between the provided username and email address during the password reset process. In a secure system, a password reset request should send a reset link exclusively to the email address associated with the specified user account. However, in the vulnerable versions of Kirki, the plugin accepts both username and email parameters without confirming their correlation.
This oversight allows an attacker to submit a password reset request using a legitimate username (e.g., an administrator’s) alongside an arbitrary email address under their control. Consequently, the plugin generates a valid reset token and dispatches it to the attacker’s email, enabling them to set a new password and gain unauthorized access to the account. Such exploitation can result in complete site compromise, including the installation of malicious plugins, injection of backdoors, creation of rogue administrator accounts, or deployment of persistent web shells.
Discovery and Disclosure Timeline
Security researcher Choigyeongmin discovered this vulnerability and reported it through the Wordfence Bug Bounty Program, earning a reward of $6,436. Wordfence validated the issue on May 8, 2026, and promptly deployed firewall protections for premium users on May 9, ahead of public disclosure. The flaw was reported to Themeum, the developers of Kirki, on May 15, 2026. Demonstrating commendable responsiveness, Themeum released a patch in version 6.0.7 just three days later, effectively addressing the vulnerability.
Mitigation Measures
Website administrators are strongly urged to update the Kirki plugin to version 6.0.7 or later immediately to mitigate this critical security risk. For those utilizing Wordfence, premium users have already received protective firewall rules, while free users are scheduled to receive coverage on June 8, 2026. Given the ease of exploitation and the potential for significant damage, prompt patching and vigilant monitoring for suspicious password reset activities are imperative.
Broader Implications
This incident underscores the importance of rigorous input validation and secure handling of authentication processes within plugins. It also highlights the critical role of timely updates and the value of security research collaborations in identifying and mitigating vulnerabilities before they can be exploited maliciously.
