Authorization Bypass in Kirki Freeform Page Builder for WordPress
CVE-2026-8096

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Kirki – Freeform Page Builder, Website Builder & Customizer
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8096?

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a vulnerability that allows unauthorized access to frontend forms. This issue arises from the plugin's failure to adequately verify user permissions for actions related to form handling. As a result, attackers with subscriber-level access or higher can exploit this flaw to access sensitive visitor data, including contact information and submitted messages. This incident highlights the importance of proper authorization checks in plugin development to prevent unauthorized data exposure.

Affected Version(s)

Kirki – Freeform Page Builder, Website Builder & Customizer 0 <= 6.0.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/kirki/tags/6.0...

https://plugins.trac.wordpress.org/changeset/3535640/kirki

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 7, 2026

Credit

Giang Bui

CVE-2026-8096 Data

JSON