HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-8206Published Modified CNA Wordfence

CVE-2026-8206: Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass leading to privilege escalation affects the Kirki Freeform Page Builder, Website Builder and Customizer plugin for WordPress versions 6.0.0 through 6.0.6. The vulnerability is reachable over the network with no credentials required: the plugin's password-reset handler accepts an arbitrary attacker-controlled email address alongside a valid username, so the reset link is delivered to the attacker rather than the legitimate account owner. Successful exploitation gives the attacker full control of any registered user account, including administrator accounts, enabling complete site takeover with read, write, and availability impact. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-8206 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer container images, including custom-built WordPress images that bundle the Kirki plugin. No manual configuration is required for the scan to run.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and weights it against each environment's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer organization based on the affected workload's classification.

Available
Patch

No upstream fix version has been published for CVE-2026-8206. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released by the maintainer. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once an upstream patch exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable password-reset endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.

  • AuthenticationNot required

    No account or credentials of any kind are needed; the attack targets the unauthenticated password-reset flow.

  • Victim interactionNot required

    The attacker receives the reset link in their own email address and completes the takeover without any action from the victim.

  • Attack complexityDetail

    The exploit is reliable and condition-free: no race conditions, memory layout dependencies, or environmental prerequisites are required beyond knowing a registered username.

Blast Radius

  • Attacker receives a valid password-reset link for any registered WordPress user, including administrators, and sets a new password of their choosing.
  • Full administrative access lets the attacker read all site content, stored user credentials, and private data held in the WordPress database.
  • Attacker can install or modify plugins and themes, inject malicious code into pages, or exfiltrate customer and subscriber records.
  • Site availability can be disrupted by the attacker deactivating plugins, deleting content, or locking out legitimate administrators.

How HarborGuard Handles This

Available on HarborGuard: continuous scanning for CVE-2026-8206 is active across all environments where Kirki-bundled WordPress images are present, with no fix version yet published by the maintainer. While no patched rebuild can be generated yet, HarborGuard monitors the advisory on every ingest cycle and will make a rebuilt image available automatically once an upstream fix ships. For customers with auto-remediation enabled, that rebuild will trigger a regression run and open a PR against affected workloads without manual steps. In the interim, compensating controls worth considering include network-policy rules that restrict external access to the WordPress admin and password-reset endpoints, web-application firewall rules that block requests to 'handle_forgot_password' with a mismatched email parameter, and feature-flag or plugin-deactivation approaches if the Kirki plugin is not strictly required in production containers.

See how HarborGuard automates this
Affected packages
  • themeum / Kirki – Freeform Page Builder, Website Builder & Customizer
    ≤ 6.0.6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References