cleantalk
Vulnerabilities and Security Researches

Kirki Customizer Framework, CVE-2026-8096

CVE, Research URL

CVE-2026-8096

Home page URL

Security reports for Kirki Customizer Framework

Application

Kirki Customizer Framework

Published on
May 20, 2026
Research Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
Affected versions
max 6.0.7.
Status
vulnerable
Previous vulnerability researches
Kirki Customizer Framework (CVE-2026-8073) , May 22, 2026
Kirki Customizer Framework (CVE-2026-8096) , May 22, 2026
New vulnerability
Kirki Customizer Framework (CVE-2026-8096) , May 22, 2026
Kirki Customizer Framework (CVE-2026-8073) , May 22, 2026
Five Star Restaurant Reservations – WordPress Booking Plugin (CVE-2026-42670) , May 22, 2026
GiveWP – Donation Plugin and Fundraising Platform (CVE-2026-42678) , May 21, 2026
Smart Coupons For WooCommerce Coupons (CVE-2026-45438) , May 21, 2026