Privilege Escalation in Kirki Freeform Page Builder for WordPress
CVE-2026-8206

9.8CRITICAL

Key Information:

Vendor

WordPress
Status
Kirki – Freeform Page Builder, Website Builder & Customizer
Vendor
CVE Published:
2 June 2026

What is CVE-2026-8206?

The Kirki Freeform Page Builder plugin for WordPress is susceptible to privilege escalation due to a flaw in its password reset functionality. Versions 6.0.0 to 6.0.6 permit attackers to utilize an arbitrary email address when submitting password reset requests, potentially allowing unauthorized access to user accounts. This vulnerability enables malicious individuals to send password reset links to their own email addresses, effectively compromising users' accounts without proper authentication.

Affected Version(s)

Kirki – Freeform Page Builder, Website Builder & Customizer 6.0.0 <= 6.0.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/kirki/tags/6.0...
https://plugins.trac.wordpress.org/browser/kirki/trunk/Co...

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

CHOIGYEONGMIN
.