Security Advisory · Published 2026-06-03 · Actively exploited
Kirki Plugin CVE-2026-8206: Admin Account Takeover Self-Check
If you're running Kirki 6.0.0 through 6.0.6 on your WordPress site, treat the password reset flow as exposed. An unauthenticated request can redirect the admin reset link away from the legitimate mailbox. Wordfence reported blocked attempts, so this needs version and log review, not just a plugin update.
What happened
Kirki — officially "Kirki – Freeform Page Builder, Website Builder & Customizer" — is installed on over 500,000 WordPress sites. It's a visual builder. Lots of theme developers bundle it. You might have it without even knowing.
In version 6.0.0, the developers added a password reset feature with a custom REST
API endpoint. The problem? The handle_forgot_password() function
accepts whatever email address you give it. You say "reset password for user
admin", and you give it hacker@evil.com. The plugin
happily generates a valid reset link and sends it to hacker@evil.com.
That's it. That's the whole exploit. One request. Game over.
Am I affected?
You need to answer two questions:
- Is the Kirki plugin installed on your site?
- Is it version 6.0.0 through 6.0.6?
If both answers are yes, your site is vulnerable right now. Even if you've already updated, you need to check whether someone got in before you patched.
5-minute self-check
Step 1: Find out if Kirki is installed
Log into WordPress admin. Go to Plugins → Installed Plugins. Search for "Kirki". You're looking for anything with "Kirki" or "Freeform Page Builder" in the name.
Don't see it? You're not affected. Stop here. Go have a coffee.
See it? Note the version number. Keep reading.
Step 2: Check the version
- 6.0.7 or higher — you're patched. Still do Steps 3-5 to check for past compromise.
- 6.0.0 through 6.0.6 — you are vulnerable right now. Update immediately, then do Steps 3-5.
- Below 6.0.0 (5.x or older) — not affected by this specific CVE. The broken endpoint didn't exist yet.
Step 3: Look for unknown admin accounts
Go to Users → All Users. Filter by Administrator role. Look for:
- Accounts you don't recognise
- Email addresses you've never seen (especially free mail like protonmail, tutanota, guerrillamail)
- Accounts created in the past 2 weeks that nobody on your team made
- Generic usernames:
admin,support,backup,wpdev
If you find a suspicious admin account: do not delete it from the UI yet. Note the username and email. You'll need it for the cleanup section below.
Step 4: Check for password resets you didn't request
Search your email (including spam) for "Password Reset" messages from your WordPress site that you didn't initiate. Also check your mail server logs if you can. If password reset emails were sent to addresses you don't own — that's the attack in action.
If you have Simple History, WP Activity Log, or any logging plugin, check for
password_reset events in the past 2 weeks.
Step 5: Check for dropped web shells
Once an attacker has admin access, they often upload a backdoor PHP file. Check:
find wp-content/uploads/ -type f -name "*.php"
find wp-content/plugins/ -name "*.php" -newer wp-config.php -mtime -14
Via cPanel File Manager: browse wp-content/uploads/ and look for any
.php file. There should be zero PHP files in uploads.
Also check for recently installed plugins you didn't add — attackers love installing a file manager plugin to maintain access after you change passwords.
How to fix it
- Update Kirki to 6.0.7 or later. WordPress admin → Plugins → Update. Do this first. Everything else is useless if the front door is still open.
- Change all admin passwords. Every single admin account. Not just yours — all of them. Use strong randomly generated passwords.
- Rotate WordPress secret keys. Visit api.wordpress.org/secret-key/1.1/salt, copy all 8 lines, paste into
wp-config.phpreplacing the old ones. This kills every active session, including the attacker's. - Delete rogue admin accounts. If you found unknowns in Step 3, delete them now.
- Remove web shells. Delete any PHP files found in
wp-content/uploads/. Remove unknown plugins. - Enable 2FA. Install Wordfence Login Security or WP 2FA. Every admin account. No exceptions.
- Enable auto-updates for plugins. Plugins → select all → Enable auto-updates. This specific bug had a patch available for 2 weeks before mass exploitation started. Auto-updates would have saved you.
The technical details (for the curious)
The vulnerable code is in CompLibFormHandler.php. The
handle_forgot_password() method registers a REST route that:
- Accepts a POST with
usernameandemailfields - Looks up the user by username — valid, that part's fine
- Generates a password reset key using
get_password_reset_key() - Sends the reset link to... the
emailfield from the request. Not the user's registered email. The attacker's email.
That's a textbook broken access control. The fix in 6.0.7 validates that the supplied email matches the user's registered email before sending. One line of validation that should have been there from the start.
Timeline
| Date | Event |
|---|---|
| May 4 | Researcher CHOIGYENGMIN reports to Wordfence |
| May 16 | Wordfence notifies Kirki vendor |
| May 18 | Fix released in version 6.0.7 |
| June 2 | CVE-2026-8206 published on NVD; BleepingComputer reports active exploitation |
| June 2 | Wordfence: 222 blocked attempts in 24 hours |
Who's getting hit?
According to WordPress.org download stats, about 40% of Kirki's 500,000+ installs are still on the vulnerable 6.0.x branch. That's roughly 200,000 sites sitting with the front door open.
The attack is completely automated — no skill needed, just a script that guesses common admin usernames (admin, administrator, the site domain). If your admin username is predictable, you're a target.
Authoritative sources
- NVD — CVE-2026-8206
- BleepingComputer — Critical Kirki flaw exploited
- Patchstack advisory
- Kirki plugin changelog
- Wordfence threat intel
Related guides on Ping7
- WordPress CVE-2026-1492 self-check (User Registration plugin)
- WordPress site hacked — full recovery guide
- Find hidden backdoors after a server hack
- Active Threat Tracker — all tracked CVEs
Need professional help?
If you found rogue admins or web shells and aren't sure how deep the compromise goes — that's what we do. WordPress compromise check: $49. Full incident response with forensics timeline, backdoor hunt, and written report: $99-$299. Bilingual (English + Chinese). 24-hour turnaround.
Details: /cve-repair. The useful output is a clear verdict: clean, suspicious, or compromised, with the exact next step for each case.