WordPress 'Kirki' flaw CVE-2026-8206 lets attackers hijack admin accounts on 500k sites

Kirki, a popular plugin for WordPress (the site-building software that runs roughly 40% of all websites) installed on over 500,000 sites, contains a flaw that lets anyone take over an administrator account without logging in (CVE-2026-8206). Its CVSS score, a 0–10 measure of severity, is 9.8 — the top "critical" rank. The cause is a flaw in password reset handling: as long as an attacker knows a username, they can have that account's password-reset link delivered to their own email address and seize the account.

Affected versions are 6.0.0 through 6.0.6, and the fixed release 6.0.7 is already available. According to Wordfence (a WordPress security firm), of the roughly 500,000 sites, about 150,000 are still on a vulnerable version. This article walks through what happens, whether your site is affected, and what to do now.

The flaw at a glance

First, the key facts. The defining traits are that no login is needed to attack, and that the accounts you can seize include administrators. Take over an admin and the site is effectively handed to the attacker whole.

"Account takeover" means an attacker logs in posing as you. Here it works by having a password-reset link — which should only ever go to the account's registered email — sent to a different address the attacker chooses. A CVSS of 9.8 means "no authentication, over the network, low difficulty": a critical-level profile.

A single "Forgot your password?" screen hands over the admin's chair

What makes this flaw nasty is that the entry point is the "Forgot your password?" screen everyone has seen. The people who target it are defacers who plant fake storefronts or scam redirects on hijacked sites, theft crews who pull member names, emails, and purchase histories to sell as lists, spam operators who bury thousands of junk links to poison search results, and attackers who want someone else's server as a stepping stone. They guess an administrator's username, attach their own email address, and request a reset. That one move sends the admin's password-reset link to the attacker's inbox, and the instant they set a new password, the keys to the site's dashboard are taken whole.

Once an admin is taken, the damage doesn't stop at one stage. The attacker quietly adds new administrator accounts and injects malicious code to skim visitors' credit-card details, or carts off the entire member database. The back doors they plant can survive even after the owner changes passwords, so information keeps flowing out while the site looks like business as usual. Because WordPress powers around 40% of the web, it's an efficient target: the same trick harvests huge numbers of sites at once.

The one left to clean up is the company or individual running the site. If member data leaks, there are breach-notification duties; for an online shop it can mean exposed payment data, and for a corporate site, reputational damage from defacement. A scale of 500,000 sites means an attacker can try "every one in a row," not just "one somewhere." Whether you can update to 6.0.7 now is what decides whether your site joins that harvest.

What kind of plugin is Kirki?

Kirki is a plugin (an add-on that extends features) for shaping a WordPress site's look and settings. It began as a widely used "framework for the Customizer," letting theme developers easily build screens for adjusting colors, fonts, and layout. It is now distributed as "Freeform Page Builder, Website Builder & Customizer," with page-building features added, and has been installed on more than 500,000 sites in total.

The problem here lies in Kirki's own password reset handling. WordPress itself has a standard password reset feature, but Kirki provided its own "Forgot your password?" handling as part of its built-in login and membership features. Because that custom handling was poorly built, an operation that should never be allowed — hijacking someone else's reset link — went through.

Inside CVE-2026-8206: the reset link arrives at the attacker's email

According to Wordfence's analysis and the NVD (the U.S. vulnerability database), the flaw is in a routine called handle_forgot_password() inside Kirki. The routine correctly identifies the right account from the submitted username. But it then set the destination of the reset link not to that account's registered email, but to an arbitrary email address attached to the request.

In other words, an attacker only has to submit the target account's username (say, an administrator's) plus an email address they can receive at, and they can have the admin's reset link delivered to their own inbox. From there, they set a new password and log in legitimately as the administrator. The CVSS breakdown is AV:N/AC:L/PR:N/UI:N — over the network, low difficulty, no authentication, no user interaction, the heaviest profile there is. The classification is improper privilege management (CWE-269).

All versions from 6.0.0 through 6.0.6 are affected. After the report, Kirki's developer fixed it in 6.0.7, pinning the reset link's destination to the account's registered email. Note that Kirki also had a separate file-read vulnerability (CVE-2026-8073) reported; both are addressed in the latest version.

Is your site affected? Quick reference

Whether you have Kirki, and which version, determines how urgent your response is. First, check the "Plugins" list in your dashboard for Kirki and its version.

If Kirki ships bundled with your theme, it may be active even if you never installed it yourself. Even if you don't see "Kirki" in the plugin list, it's worth checking whether your theme uses it, and consulting your theme provider's guidance.

What to do now

The top priority is to update Kirki to 6.0.7 or later. Apply it from "Plugins" → "Update" in your WordPress dashboard. Turning on automatic updates makes it less likely you'll miss future fixes. With about 150,000 sites still on a vulnerable version, an attack could begin at any time. Don't put it off — update now.

Just as important is checking whether you've already been breached. Open the "Users" list in your dashboard and look for unfamiliar administrator accounts that have appeared. Delete any users you don't recognize and reset every administrator's password to be safe. Also check posts and theme files for suspicious added code using your site's integrity check or a security plugin.

WordPress plugin flaws have been arriving back to back lately. As covered in the four Gravity Forms-and-others flaws, the TinyMCE flaw that lets editors seize admin, and the ACF Extended admin-creation flaw, deleting plugins you don't use and keeping the rest updated is the best defense.

Confirmed facts and open questions

How it came to light

Here is the timeline from the researcher's report to the fixed release and the vulnerability listing.

← swipe to move

FAQ

Summary

CVE-2026-8206 in Kirki lets anyone take over any account — administrators included — without logging in, because the password-reset link's destination wasn't validated. The CVSS is 9.8. Affected versions are 6.0.0–6.0.6, and the fixed 6.0.7 is already out. About 500,000 sites have it installed, of which roughly 150,000 are believed to still be on a vulnerable version. There are no exploitation reports yet, but with both the flaw's details and the fix public, an attack is a matter of time. If your site uses Kirki, update to 6.0.7 or later now, and check whether any unfamiliar administrator accounts have appeared. A "don't question the destination" design in password reset is a classic case where a single overlooked line hands over an entire site.

References

• ▸NVD - CVE-2026-8206
• ▸Wordfence - Kirki vulnerability record
• ▸WordPress.org - Kirki plugin
• ▸eSecurity Planet - Critical WordPress Plugin Vulnerability Allows Admin Account Takeover