cleantalk
Vulnerabilities and Security Researches

Kirki Customizer Framework, CVE-2026-8206

CVE, Research URL

CVE-2026-8206

Home page URL

Security reports for Kirki Customizer Framework

Application

Kirki Customizer Framework

Published on
Jun 02, 2026
Research Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Affected versions
max 6.0.7.
Status
vulnerable
Previous vulnerability researches
Views for WPForms – Display & Edit WPForms Entries on your site frontend (CVE-2024-0371) , Jun 07, 2024
Views for WPForms – Display & Edit WPForms Entries on your site frontend (CVE-2024-0374) , Jun 07, 2024
Views for WPForms – Display & Edit WPForms Entries on your site frontend (CVE-2024-0372) , Jun 07, 2024
Views for WPForms – Display & Edit WPForms Entries on your site frontend (CVE-2024-0370) , Jun 07, 2024
Views for WPForms – Display & Edit WPForms Entries on your site frontend (CVE-2024-0373) , Jun 07, 2024
New vulnerability
LearnPress – WordPress LMS Plugin (CVE-2026-48865) , Jun 03, 2026
Word Replacer (CVE-2026-3620) , Jun 03, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2026-39447) , Jun 03, 2026
Broadcast Live Video – Live Streaming : HTML5, WebRTC, HLS, RTSP, RTMP (CVE-2026-27053) , Jun 03, 2026
Customizable WordPress Gallery Plugin – Modula Image Gallery (CVE-2026-42688) , Jun 03, 2026