Kirki – Freeform Page Builder, Website Builder & Customizer Plugin Vulnerability (CVE-2026-8073)

Security Alert Summary

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a vulnerability in the downloadZIP function that allows unauthenticated attackers to read and delete files within the WordPress uploads base directory. The issue is caused by insufficient file path validation and a missing capability check.

CVE Details

• CVE ID: CVE-2026-8073
• Affected component: Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress
• Affected versions: All versions up to and including 6.0.6
• Published: May 19, 2026 at 7:16:51 PM UTC
• Last modified: May 19, 2026 at 9:00:47 PM UTC
• CVSS v3.1: Base Score 7.5, Severity HIGH, Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
• Authentication / Privileges / User Interaction: No authentication or privileges required (PR:N). No user interaction required (UI:N).
• Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE (per CVSS v3.1).
• CWE / Weakness: CWE-23 (Improper Restriction of Operations within the Bounds of a Memory Buffer / Path Traversal related)

Technical Details

The vulnerability exists in the plugin’s downloadZIP function. The function lacks sufficient validation of file paths and does not perform the expected capability checks before serving or removing files. As a result, an unauthenticated attacker can supply crafted input that allows reading and deletion of files within the WordPress uploads base directory.

The root causes named in the report are insufficient file path validation and a missing capability check in downloadZIP. The documented impact is limited to files under the uploads directory; the plugin behavior and CVSS assessment do not indicate broader integrity or availability impacts to other parts of the site beyond disclosure of uploaded files and removal of files in that directory.

How This Could Impact Your Website

On a typical WordPress site, multiple users interact with media and uploads: a site owner manages settings, internal staff and editors upload images and documents, and external contractors or contributors may also place files in the uploads directory. If an attacker can read files there, sensitive documents or images could be exposed. Exposed files may include internal contact lists, invoices, or other items that reveal email addresses and other personal information.

Practical consequences include increased risk of targeted phishing or social engineering against staff and contractors, and the loss of media or documents if the attacker deletes uploaded files. While the CVSS vector reports confidentiality impact as HIGH and integrity/availability as NONE, the ability to remove uploaded assets can still cause operational inconvenience and data recovery costs.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available.
• Review and reduce unnecessary user roles, especially contributor-level accounts and other accounts that can upload files.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins to reduce attack surface.
• Monitor site activity and file changes in the uploads directory for unusual behavior and restore missing files from backups if needed.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60
• https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php
• https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve