Security Advisory · Published 2026-06-03 · Actively exploited

Kirki Plugin CVE-2026-8206: Admin Account Takeover Self-Check

If you're running Kirki 6.0.0 through 6.0.6 on your WordPress site, treat the password reset flow as exposed. An unauthenticated request can redirect the admin reset link away from the legitimate mailbox. Wordfence reported blocked attempts, so this needs version and log review, not just a plugin update.

What happened

Kirki — officially "Kirki – Freeform Page Builder, Website Builder & Customizer" — is installed on over 500,000 WordPress sites. It's a visual builder. Lots of theme developers bundle it. You might have it without even knowing.

In version 6.0.0, the developers added a password reset feature with a custom REST API endpoint. The problem? The handle_forgot_password() function accepts whatever email address you give it. You say "reset password for user admin", and you give it hacker@evil.com. The plugin happily generates a valid reset link and sends it to hacker@evil.com.

That's it. That's the whole exploit. One request. Game over.

Am I affected?

You need to answer two questions:

  1. Is the Kirki plugin installed on your site?
  2. Is it version 6.0.0 through 6.0.6?

If both answers are yes, your site is vulnerable right now. Even if you've already updated, you need to check whether someone got in before you patched.

5-minute self-check

Step 1: Find out if Kirki is installed

Log into WordPress admin. Go to Plugins → Installed Plugins. Search for "Kirki". You're looking for anything with "Kirki" or "Freeform Page Builder" in the name.

Don't see it? You're not affected. Stop here. Go have a coffee.

See it? Note the version number. Keep reading.

Step 2: Check the version

  • 6.0.7 or higher — you're patched. Still do Steps 3-5 to check for past compromise.
  • 6.0.0 through 6.0.6 — you are vulnerable right now. Update immediately, then do Steps 3-5.
  • Below 6.0.0 (5.x or older) — not affected by this specific CVE. The broken endpoint didn't exist yet.

Step 3: Look for unknown admin accounts

Go to Users → All Users. Filter by Administrator role. Look for:

  • Accounts you don't recognise
  • Email addresses you've never seen (especially free mail like protonmail, tutanota, guerrillamail)
  • Accounts created in the past 2 weeks that nobody on your team made
  • Generic usernames: admin, support, backup, wpdev

If you find a suspicious admin account: do not delete it from the UI yet. Note the username and email. You'll need it for the cleanup section below.

Step 4: Check for password resets you didn't request

Search your email (including spam) for "Password Reset" messages from your WordPress site that you didn't initiate. Also check your mail server logs if you can. If password reset emails were sent to addresses you don't own — that's the attack in action.

If you have Simple History, WP Activity Log, or any logging plugin, check for password_reset events in the past 2 weeks.

Step 5: Check for dropped web shells

Once an attacker has admin access, they often upload a backdoor PHP file. Check:

find wp-content/uploads/ -type f -name "*.php"
find wp-content/plugins/ -name "*.php" -newer wp-config.php -mtime -14

Via cPanel File Manager: browse wp-content/uploads/ and look for any .php file. There should be zero PHP files in uploads.

Also check for recently installed plugins you didn't add — attackers love installing a file manager plugin to maintain access after you change passwords.

How to fix it

  1. Update Kirki to 6.0.7 or later. WordPress admin → Plugins → Update. Do this first. Everything else is useless if the front door is still open.
  2. Change all admin passwords. Every single admin account. Not just yours — all of them. Use strong randomly generated passwords.
  3. Rotate WordPress secret keys. Visit api.wordpress.org/secret-key/1.1/salt, copy all 8 lines, paste into wp-config.php replacing the old ones. This kills every active session, including the attacker's.
  4. Delete rogue admin accounts. If you found unknowns in Step 3, delete them now.
  5. Remove web shells. Delete any PHP files found in wp-content/uploads/. Remove unknown plugins.
  6. Enable 2FA. Install Wordfence Login Security or WP 2FA. Every admin account. No exceptions.
  7. Enable auto-updates for plugins. Plugins → select all → Enable auto-updates. This specific bug had a patch available for 2 weeks before mass exploitation started. Auto-updates would have saved you.

The technical details (for the curious)

The vulnerable code is in CompLibFormHandler.php. The handle_forgot_password() method registers a REST route that:

  1. Accepts a POST with username and email fields
  2. Looks up the user by username — valid, that part's fine
  3. Generates a password reset key using get_password_reset_key()
  4. Sends the reset link to... the email field from the request. Not the user's registered email. The attacker's email.

That's a textbook broken access control. The fix in 6.0.7 validates that the supplied email matches the user's registered email before sending. One line of validation that should have been there from the start.

Timeline

DateEvent
May 4Researcher CHOIGYENGMIN reports to Wordfence
May 16Wordfence notifies Kirki vendor
May 18Fix released in version 6.0.7
June 2CVE-2026-8206 published on NVD; BleepingComputer reports active exploitation
June 2Wordfence: 222 blocked attempts in 24 hours

Who's getting hit?

According to WordPress.org download stats, about 40% of Kirki's 500,000+ installs are still on the vulnerable 6.0.x branch. That's roughly 200,000 sites sitting with the front door open.

The attack is completely automated — no skill needed, just a script that guesses common admin usernames (admin, administrator, the site domain). If your admin username is predictable, you're a target.

Authoritative sources

Related guides on Ping7

Need professional help?

If you found rogue admins or web shells and aren't sure how deep the compromise goes — that's what we do. WordPress compromise check: $49. Full incident response with forensics timeline, backdoor hunt, and written report: $99-$299. Bilingual (English + Chinese). 24-hour turnaround.

Details: /cve-repair. The useful output is a clear verdict: clean, suspicious, or compromised, with the exact next step for each case.