Kirki Vulnerability in WordPress: 150,000 Sites at Immediate Risk

A critical vulnerability (CVE-2026-8206, CVSS 9.8) in the WordPress plugin Kirki allows unauthorized takeover of admin accounts. Versions 6.0.0 through 6.0.6 are affected. On June 2, 2026, Wordfence recorded over 222 attack attempts within 24 hours. Updating to version 6.0.7 is mandatory. If you cannot update, disable the plugin immediately.

On June 2, 2026, Wordfence disclosed a security vulnerability in the Kirki plugin. The plugin is used on over 500,000 WordPress sites. Approximately 150,000 of these are running a vulnerable version. The vulnerability is designated CVE-2026-8206 and has the maximum CVSS score for such attacks: 9.8 out of 10. Attackers can use it to take over any account, including administrator accounts, without logging in. We’ll break down who is affected, how the attack works, and what website operators should do now.

What Kirki Is and Who Uses It

Kirki is a free visual builder and customizer framework for WordPress. Themeum acquired the plugin in 2023 from its original developer, David Vongries. Today, Kirki has around 500,000 active installations. The plugin provides controls for the WordPress Customizer and allows users to build landing pages and entire websites without writing code.

Many themes are built directly on top of Kirki. Anyone using a popular theme from the WordPress directory often has Kirki installed without even knowing it. That is precisely what makes the current vulnerability dangerous. Affected site owners are often completely unaware of the plugin.

How the attack works

The vulnerability lies in the password reset function. The relevant code in handle_forgot_password() accepts any email address if the attacker knows a valid username. Instead of sending the reset link to the account’s registered email, it goes to the address provided by the attacker.

The attack proceeds in four steps:

1. The attacker identifies a WordPress username, often via the author archive or REST API
2. The attacker sends a password reset request with their own email address as the recipient
3. The plugin sends the reset link to the attacker’s address
4. The attacker clicks the link, sets a new password, and gains access

No login required, no user interaction, no special tools. A single HTTP request is enough. Wordfence blocked 222 attack attempts within the first 24 hours of the vulnerability’s disclosure. The wave is underway.

Timeline of the disclosure

• May 4, 2026: Security researcher Choigyeongmin reports the vulnerability to the Wordfence Bug Bounty Program
• May 8, 2026: Wordfence validates the severity
• May 9, 2026: Wordfence Premium users receive firewall protection in advance
• May 15, 2026: Themeum is notified
• May 18, 2026: Themeum releases version 6.0.7 with a fix
• June 2, 2026: Public disclosure, immediate mass attacks

There were 15 days between the patch and the public announcement. Anyone who did not update during this time is now at risk.

Who is affected

Three scenarios are currently critical:

Direct plugin use. Kirki is visible as a plugin in the backend. Check the status under “Plugins, Installed.” If versions 6.0.0 through 6.0.6 are displayed: immediate action is required.

Indirect use via themes. Some premium themes install Kirki in the background. The plugin will appear in the list, but updates do not occur automatically. In this case, check the theme customizer and the directory wp-content/plugins/kirki/.

Abandoned sites without maintenance. Websites without active maintenance are the primary target of automated mass attacks. Anyone who hasn’t run an update in months must check immediately.

Versions prior to 6.0.0 and 6.0.7 and later are not affected. The vulnerability was introduced with the 6.0 major release and is not present in older builds.

What site operators should do now

Four steps, in this order.

Step 1: Check the plugin version. In the WordPress backend, go to “Plugins > Installed” and search for “Kirki.” Note the version number. If it is between 6.0.0 and 6.0.6, the site is vulnerable.

Step 2: Update or deactivate immediately. Update via the backend or via WP-CLI using wp plugin update kirki. If you don’t actively need the plugin, deactivate and remove it. A deactivated plugin permanently reduces the attack surface.

Step 3: Check accounts and activity. Go through the list of users under “Users, All Users.” Look for:

• New administrator accounts that no one created
• Recently changed email addresses for existing accounts
• Password reset emails sent to unknown recipients

If you find any matches, assume a compromise has occurred. Then: reset all passwords, log out all sessions, restore a backup from before June 2, or consult a specialist.

Mind the GDPR: If personal data is affected, Article 33 GDPR applies — report the breach to the supervisory authority within 72 hours.

Step 4: Make it harder to list users. By default, WordPress exposes usernames via author archives and the REST API. We’ve been recommending restricting this for years. A proper security configuration won’t prevent every vulnerability, but it significantly reduces the success rate of automated bots.

What this vulnerability means for SME websites

Three observations from recent client projects:

First: Not every WordPress site has an active maintenance contract. Many SME websites have been running for years without a structured update routine. Such sites are the primary target of automated mass attacks. A license for Patchstack or Wordfence Premium costs less per year than a single emergency cleanup following a compromise.

Second: Auto-update isn’t enough. WordPress only updates plugins automatically if the site owner has explicitly enabled the feature. By default, auto-update is disabled. Those who rely on the default setting face delays of days to weeks after a vulnerability is disclosed.

Third: Reduce the number of plugins. An average SME website using a builder theme has between 20 and 40 active plugins. Each one is a potential entry point. In our audits, we consistently recommend removing plugins that aren’t actively used and, where possible, moving builder functions into the theme.

What the plugin ecosystem shows us

Kirki isn’t the first popular plugin with a critical vulnerability. In 2026 alone, this already affected Avada Builder, Funnel Builder, ACF Extended, Burst Statistics, WPvivid, and more. The pattern: a new major release, a feature without proper input validation, hundreds of thousands of sites in the crosshairs.

What we consistently implement for clients:

1. Regularly review and reduce the plugin inventory
2. Actively perform security monitoring with Patchstack or Wordfence
3. Store backups in a protected environment outside the server
4. Do not delay updates centrally, but roll them out promptly
5. Monitor the version history of popular plugins

A plugin that quickly delivers many features is no substitute for a deliberate maintenance strategy. Anyone who relies on a builder like Kirki assumes responsibility for its update maintenance.

Conclusion

CVE-2026-8206 is a serious vulnerability. It has a wide reach (500,000 installations), a maximum CVSS score, is trivial to exploit, and is currently being actively targeted. If you use Kirki, update to 6.0.7 now or deactivate the plugin. If you’re unsure whether you use Kirki, check the plugin directory manually. If you haven’t taken any action since the disclosure on June 2, assume the worst-case scenario for your site.

• Patchstack: CVE-2026-8206 Kirki Privilege Escalation
• WordPress.org Plugin Page: Kirki, Freeform Page Builder
• NVD: CVE-2026-8206
• developers.wordpress.org: Plugin Security Best Practices