Attackers are exploiting a critical flaw in the Kirki WordPress plugin that can let them take over administrator accounts on affected websites. CVE-2026-8206 affects Kirki versions 6.0.0 through 6.0.6 and abuses a password-reset REST API endpoint so an unauthenticated attacker can send a valid reset link for any user to an attacker-controlled email address. Wordfence says it blocked more than 222 exploit attempts in 24 hours, and the fix shipped in version 6.0.7.
Why it matters: Sites using affected Kirki versions can be quickly hijacked, letting attackers change content, install malicious plugins, or plant persistent backdoors. This is urgent for WordPress administrators: update to 6.0.7 immediately or disable the plugin, and review privileged accounts for suspicious password resets or changes.
Ionut Arghire
2026.06.03
96% relevant
This article updates the Kirki exploitation story with Defiant's observation that thousands of attacks were blocked in the past 24 hours, estimates roughly 150,000 sites may still be running vulnerable Kirki versions 6.0.0 to 6.0.6, and reiterates patching to 6.0.7+.
Bill Toulas
2026.06.02
100% relevant
This article establishes a distinct new exploitation story centered on CVE-2026-8206 in the Kirki plugin, with active in-the-wild attacks and specific remediation guidance.
← Back to all stories