Server Side Request Forgery Vulnerability in Kirki Plugin by WordPress
CVE-2026-57627

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Kirki
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-57627?

The Kirki plugin for WordPress is susceptible to a server side request forgery (SSRF) vulnerability in versions 6.0.11 and below. This flaw can allow an attacker to send unauthorized requests from the server, potentially leading to exposure of sensitive information or further exploitation of the underlying system. It is imperative for users of affected versions to apply security updates and bolster their WordPress site resilience.

Affected Version(s)

Kirki <= 6.0.11

References

https://patchstack.com/database/wordpress/plugin/kirki/vu...

vdb-entry

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Jun 25, 2026

Credit

Ananda Dhakal (Patchstack) | Patchstack Bug Bounty Program

CVE-2026-57627 Data

JSON