A critical unauthenticated privilege escalation vulnerability in the Kirki Freeform Page Builder, Website Builder & Customizer WordPress plugin is being actively exploited in the wild, enabling attackers to seize full administrative control of vulnerable sites. Tracked as CVE-2026-8206 and rated CVSS 9.8 (Critical), the flaw affects all Kirki versions from 6.0.0 through 6.0.6. The vulnerability lives inside the handle_forgot_password() function within the plugin’s CompLibFormHandler class, […]
The post WordPress Plugin Flaw Exposes 500,000+ Sites to Privilege Escalation appeared first on Cyber Security News.