cleantalk
Vulnerabilities and Security Researches

Kirki Customizer Framework, CVE-2026-8206

CVE, Research URL

CVE-2026-8206

Home page URL

Security reports for Kirki Customizer Framework

Application

Kirki Customizer Framework

Published on
Jun 02, 2026
Research Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Affected versions
max 6.0.7.
Status
vulnerable
Previous vulnerability researches
Search Everything (CVE-2014-2316) , Jun 07, 2024
Search Everything (CVE-2016-10917) , Jun 07, 2024
Search Everything (CVE-2017-18571) , Jun 07, 2024
Search Everything (CVE-2014-3843) , Jun 07, 2024
New vulnerability
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2026-39447) , Jun 03, 2026
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP (CVE-2026-27053) , Jun 03, 2026
Customizable WordPress Gallery Plugin – Modula Image Gallery (CVE-2026-42688) , Jun 03, 2026
Tiled Gallery Carousel Without JetPack (CVE-2026-5191) , Jun 03, 2026
Kirki Customizer Framework (CVE-2026-8206) , Jun 03, 2026