Security Alert Summary
The Kirki – Freeform Page Builder, Website Builder and Customizer plugin for WordPress has an authorization bypass vulnerability in all versions up to and including 6.0.6. Authenticated users with subscriber-level access or higher can view Kirki frontend forms and read stored visitor form submission data, exposing contact details, messages, and other visitor-provided information.
CVE Details
- CVE ID: CVE-2026-8096
- Affected component: Kirki – Freeform Page Builder, Website Builder and Customizer plugin for WordPress
- Affected versions: All versions up to and including 6.0.6
- Published: May 19, 2026 at 7:16:51 PM UTC
- Last modified: May 19, 2026 at 9:00:47 PM UTC
- CVSS v3.1: Base score 6.5, MEDIUM;
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - Authentication / Privileges / User interaction: Requires authentication; privileges required: LOW (subscriber-level and above); user interaction: NONE
- Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
- Weakness: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is an authorization bypass caused by the plugin not properly verifying that a user is authorized to perform an action. As a result, authenticated users with subscriber-level access and higher can access Kirki frontend forms and read stored visitor form submissions.
The issue is associated with the plugin’s AJAX handling where authorization checks are missing or insufficient (see the plugin file path referenced in public analysis: includes/Ajax.php). Because the relevant code does not properly validate whether the requesting user has permission to view stored form data, the plugin exposes visitor-submitted information to low-privilege authenticated accounts.
Impact is limited to disclosure of stored form submission data submitted through Kirki frontend forms. The vulnerability does not, based on provided data, indicate modification or deletion of stored data or disruption of site availability.
How This Could Impact Your Website
In a typical small business WordPress site, the site owner and administrators configure forms we use for lead capture and contact. Internal staff or external contractors who have subscriber or contributor accounts for commenting or other low-privilege tasks could, because of this issue, view stored visitor submissions that include names, email addresses, and freeform messages. That extra exposure can make it easier for attackers to craft targeted phishing or social engineering campaigns against staff or customers and could reveal sensitive visitor information that you intended to keep private.
If you are unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and subscriber privileges.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and access logs for unusual behavior related to form access or downloads of stored submissions.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
