Critical Kirki flaw exploited to hijack WordPress admin accounts
A critical privilege escalation vulnerability in the Kirki Customizer Framework plugin for WordPress, tracked as CVE-2026-8206, is being actively exploited in the wild. The flaw, which carries a CVSS score of 9.8, allows unauthenticated attackers to escalate privileges and take over any user account, including those with administrator-level access. Kirki is a popular plugin with over 600,000 active installations, used to customize WordPress themes. The vulnerability was patched in version 5.1.1, released on May 28, 2026. According to BleepingComputer, security researchers at Wordfence detected the exploitation attempts starting on June 1, 2026. The attack involves sending specially crafted requests to the WordPress REST API endpoint, enabling attackers to modify user roles without authentication. Site administrators are urged to update the plugin immediately to the latest version. As of the report, no workaround is available besides updating. The exploit allows attackers to gain full control over affected sites, potentially leading to data theft, malware distribution, or further compromise of server resources.
Unpatched Kirki plugin leaves 600k+ WordPress sites vulnerable to full admin takeover.