CYBERHAWK / CVE / CVE-2026-8206

CVE-2026-8206

Kirki WordPress Plugin

CRITICAL CVSS 9.8 vibe

The flaw

Privilege escalation via account takeover using arbitrary email in password reset.

What to do

Update to Kirki version 6.0.7 or later

▸ Scan my repo for CVE-2026-8206

References

NVD CISA KEV OSV GitHub Advisory MITRE News search

In the news

Critical Kirki flaw exploited to hijack WordPress admin accountsBleepingComputer · 2026-06-02
Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ CrosshairsSecurityWeek · 2026-06-03
WordPress Kirki plugin vulnerability allows account takeoverSC Media · 2026-06-04

First seen 2026-06-05 · Tracked by PickBits CyberHawk · Weekly CVE digest

← All CVEs RSS Scheduled audits