Home

Description

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.

PUBLISHED Reserved 2026-05-07 | Published 2026-05-19 | Updated 2026-05-19 | Assigner Wordfence




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

Any version
affected

Timeline

2026-05-15:Vendor Notified
2026-05-19:Disclosed

Credits

Giang Bui finder

References

www.wordfence.com/...-6a49-42f8-9927-93763d1502ce?source=cve

plugins.trac.wordpress.org/...i/tags/6.0.4/includes/Ajax.php

plugins.trac.wordpress.org/changeset/3535640/kirki

cve.org (CVE-2026-8096)

nvd.nist.gov (CVE-2026-8096)

Download JSON