← All articles

Critical Kirki WordPress flaw CVE-2026-8206 exploited to hijack admin accounts via password-reset redirect - 500,000 installs, 222+ attacks blocked

Hackers are exploiting CVE-2026-8206, a critical privilege-escalation flaw in the Kirki - Freeform Page Builder WordPress plugin, to take over any account including administrators. Defiant's Wordfence blocked over 222 attempts against customers in 24 hours. The plugin is active on more than 500,000 sites; the bug was introduced in version 6.0.0 and affects up to 6.0.6 (nearly 40% of the userbase). It stems from a custom REST password-reset endpoint that accepts an arbitrary email: when a username is supplied, the plugin sends a valid reset link to the attacker-controlled address instead of the owner's. The vendor fixed it in 6.0.7 on May 18; admins should upgrade or disable immediately.

Check
Inventory WordPress sites for the Kirki plugin and confirm version. Audit user accounts and password-reset logs for reset links sent to unfamiliar email addresses since version 6.0.0 deployment.
Affected
Kirki - Freeform Page Builder versions 6.0.0 through 6.0.6 (nearly 40% of 500,000+ installs). The REST password-reset endpoint sends valid reset links to attacker-supplied email addresses for any user.
Fix
Upgrade Kirki to 6.0.7 or disable the plugin immediately. Remove unauthorized admin accounts, rotate all admin credentials, and audit for web shells, malicious plugins, and backdoors.