We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

Kirki – Freeform Page Builder, Website Builder & Customizer Plugin Vulnerability (CVE-2026-8206)

Nick Paliughi
On this page

Security Alert Summary

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a privilege escalation vulnerability (CVE-2026-8206) that allows an unauthenticated attacker to trigger password reset links for arbitrary registered users and send those links to an attacker-controlled email address. This can enable account takeover of affected user accounts without prior authentication.

CVE Details

  • CVE ID: CVE-2026-8206
  • Affected component: Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress
  • Affected versions: all versions 6.0.0 to 6.0.6
  • Published: June 2, 2026 at 4:17:03 AM
  • Last modified: June 2, 2026 at 1:03:31 PM
  • CVSS v3.1: Base Score 9.8, Severity CRITICAL, Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Authentication / Privileges / User interaction: Authentication: none required; Privileges required: none; User interaction: none
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness (CWE): CWE-269

Technical Details

According to the advisory, the plugin accepts an arbitrary email address when a username is provided in a password reset request. When the password reset flow is initiated using a username, the plugin does not correctly verify that the provided email address belongs to the account associated with that username. As a result, an unauthenticated attacker can request a password reset for any registered user and have the reset link sent to an email address they control.

References in the report point to plugin controller files such as CompLibFormHandler.php and ElementGenerator.php, indicating the handling of form input and reset requests occurs in those components. The underlying issue is a missing or insufficient check tying the requested account identifier (username) to the destination email before sending password reset links.

The impact is limited to account takeover of affected user accounts via the password reset mechanism; it does not by itself describe exploitation of other unrelated site functionality.

How This Could Impact Your Website

On a site using this plugin, an attacker could target specific user accounts. For example, a site owner may have an administrator account, editors or contributors as internal staff, and outside contractors with contributor-level access. An attacker who can trigger password resets for any username and redirect the link to their own email could gain control of individual accounts if the targeted user does not notice the reset or uses weak authentication.

Practical consequences include exposure of user accounts to takeover, which could lead to disclosure of internal email addresses, increased risk of targeted phishing or social engineering against staff, and unauthorized content or settings changes by an attacker who obtains an account. If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and accounts with elevated privileges.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and authentication logs for unusual behavior, such as unexpected password reset requests or logins from new IP addresses.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
Word Replacer Plugin Vulnerability (CVE-2026-3620)
Next Post
WP Nano AD Plugin Vulnerability (CVE-2025-5085)