CVE-2026-8206— Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8206
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
特权管理不恰当
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| themeum | Kirki – Freeform Page Builder, Website Builder & Customizer | 6.0.0 ~ 6.0.6 | - |
II. Public POCs for CVE-2026-8206
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8206
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-8206 (4)
Other References for CVE-2026-8206 (1)
IV. Related Vulnerabilities
Same vendor: themeum
- CVE-2026-8073
Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read - CVE-2026-8096
Kirki <= 6.0.6 - Missing Authorization to Authenticated (Sub - CVE-2026-6965
Tutor LMS <= 3.9.9 - Insecure Direct Object Reference to Aut - CVE-2026-5502
Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary C - CVE-2026-6080
Tutor LMS <= 3.9.8 - Authenticated (Admin+) SQL Injection vi
Same weakness: CWE-269
- CVE-2026-10217
nextlevelbuilder GoClaw RoleAdmin Gateway tts_config.go hand - CVE-2026-7465
Spectra Gutenberg Blocks <= 2.19.25 - Authenticated (Contrib - CVE-2026-47744
Shopper: Authorization bypass and RBAC privilege escalation - CVE-2026-45043
RustFS: ImportIam Allows Creation of Backdoor Service Accoun - CVE-2026-8809
Advanced Custom Fields: Extended <= 0.9.2.5 - Unauthenticate
V. Comments for CVE-2026-8206
No comments yet