Critical Kirki WordPress Plugin Flaw Exposes 500,000+ Sites to Account Takeovers A severe security vulnerability in the Kirki WordPress plugin (CVE-2026-8206, CVSS 9.8) has left over 500,000 websites at risk of account takeover attacks, with 150,000 sites currently vulnerable due to outdated versions. The flaw affects Kirki versions 6.0.0 through 6.0.6, a widely used tool for WordPress customization and page building. Discovered by security researcher Choigyeongmin and reported via the Wordfence Bug Bounty Program, the vulnerability stems from a flawed password reset mechanism in the plugin’s REST API. The `handle_forgot_password()` function improperly trusts user input, allowing attackers to manipulate the reset process. By submitting a valid username (e.g., an administrator) alongside an attacker-controlled email, threat actors can intercept the reset link, set a new password, and gain full administrative access. Successful exploitation could lead to complete site compromise, including the installation of malicious plugins, backdoors, rogue admin accounts, or persistent webshells aligning with common privilege escalation and persistence tactics. Wordfence validated the issue on May 8, 2026, deploying firewall protections for premium users the following day. The plugin’s developer, Themeum, was notified on May 15, 2026, and released a patch (version 6.0.7) within three days. Free Wordfence users will receive firewall coverage on June 8, 2026. Given the low complexity of exploitation and high impact, the vulnerability poses a significant risk to WordPress environments, particularly those with exposed user enumeration or public login pages. Administrators are urged to update immediately to mitigate potential breaches.