CVE-2026-8206 – Kirki 6.0.0 – 6.0.6 – Unauthenticated Privilege Escalation via ‘handle_forgot_password’

CVE ID :CVE-2026-8206

Published : June 2, 2026, 4:17 a.m. | 15 minutes ago

Description :The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-3198 – Improper Access Control in mlflow/mlflow

CVE-2026-10583 – nextlevelbuilder GoClaw TTS Configuration Endpoint tts_config.go import server-side request forgery

CVE-2026-10581 – DedeCMS download.php base64_decode server-side request forgery

CVE-2026-3871 – Zyxel UPnP Buffer Overflow Denial-of-Service