If you run a WordPress site with the Kirki Freeform Page Builder plugin installed, you need to take action immediately. A critical vulnerability, CVE-2026-8206, is being actively exploited in the wild and can allow attackers to hijack administrator accounts with a single HTTP request.
What is CVE-2026-8206?
Kirki Freeform Page Builder is a popular WordPress plugin with over 500,000 active installations. The plugin exposes a custom REST API endpoint intended to handle password reset requests.
The vulnerable endpoint, often referred to as something like handle_forgot_password, accepts two parameters:
username– the WordPress username whose password should be resetemail– the email address where the reset link should be sent
The core issue: the endpoint does not verify that the supplied email address actually belongs to the specified user account.
In practice, this means an attacker can:
- Identify or guess an administrator username (e.g.,
adminor a known account name). - Call the vulnerable REST endpoint with that username and an email address they control.
- Receive a valid password reset link for the administrator account in their own inbox.
- Use the link to set a new password and fully take over the admin account.
No authentication is required to call this endpoint. The entire attack can be carried out with a single unauthenticated HTTP request.
Impact
Once an attacker gains administrator access, they can:
- Install backdoors or malicious plugins/themes
- Modify site content and inject malware or phishing pages
- Exfiltrate user data and configuration details
- Create additional admin accounts to maintain persistence
Because Kirki is installed on over 500,000 WordPress sites, the potential blast radius is extremely large. Active exploitation has already been observed, which means unpatched sites are at immediate risk.
What you should do right now
You have two safe options:
- Upgrade Kirki Freeform Page Builder to version 6.0.7 immediately.
- If you cannot update right away, disable the plugin.
Additional recommended steps
Even after patching or disabling the plugin, consider the following hardening and incident-response steps:
- Review administrator accounts
- Audit recent logins and activity
- Change admin passwords
- Enable two-factor authentication (2FA)
- Keep plugins and themes updated
Summary
- Vulnerability: CVE-2026-8206 in Kirki Freeform Page Builder
- Issue: Unauthenticated REST endpoint sends password reset links to any supplied email, without verifying ownership
- Impact: Full administrator account takeover with a single HTTP request
- Action: Update to Kirki 6.0.7 immediately, or disable the plugin until you can patch
If Kirki Freeform Page Builder is active on your WordPress site, treat this as an emergency change: patch or disable the plugin now, then review your admin accounts and logs for signs of compromise.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you need help auditing your WordPress security posture.