CVE-2026-8206

CRITICAL EXPLOITED LAB

Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'

Title source: cna
STIX 2.1

Exploitation Summary

CVE-2026-8206 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including rootdirective-sec, Jenderal92, O99099O.

AI-analyzed exploit summary This repository contains a functional exploit PoC for CVE-2026-8206, demonstrating a password reset vulnerability in the Kirki WordPress plugin. The PoC includes a Docker-based lab environment to test both vulnerable (6.0.6) and patched (6.0.7) versions, with scripts to automate the exploitation and verification process.

Description

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.

Exploits (3)

github WORKING POC
by rootdirective-sec · pythonpoc
https://github.com/rootdirective-sec/CVE-2026-8206-Lab

This repository contains a functional exploit PoC for CVE-2026-8206, demonstrating a password reset vulnerability in the Kirki WordPress plugin. The PoC includes a Docker-based lab environment to test both vulnerable (6.0.6) and patched (6.0.7) versions, with scripts to automate the exploitation and verification process.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kirki WordPress plugin versions 6.0.6 and earlier
No auth needed
Prerequisites: Docker environment · WordPress instance with Kirki plugin installed
devstral-2 · analyzed Jun 05, 2026 Full analysis →
github WORKING POC
by Jenderal92 · pythonremote
https://github.com/Jenderal92/CVE-2026-8206

This repository contains a functional exploit for CVE-2026-8206, targeting the Kirki WordPress plugin (versions ≤ 6.0.6). The exploit automates the detection of vulnerable installations, extracts nonces, and sends crafted requests to hijack password reset links, allowing unauthenticated attackers to take over user accounts.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kirki WordPress Plugin ≤ 6.0.6
No auth needed
Prerequisites: Target must have Kirki plugin ≤ 6.0.6 installed · Attacker must control an email address to receive reset links
devstral-2 · analyzed Jun 02, 2026 Full analysis →
nomisec WORKING POC
by O99099O · poc
https://github.com/O99099O/CVE-2026-8206-Poc-

This Python script automates the exploitation of CVE-2026-8206 in Kirki (versions 6.0.0-6.0.6) by abusing the password reset functionality to send a reset link to an attacker-controlled email. It extracts a nonce from the target site and crafts a malicious request to trigger the vulnerability.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Kirki (WordPress plugin) 6.0.0-6.0.6
No auth needed
Prerequisites: target URL · valid username · attacker-controlled email
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (8)

Core 8
Core References

Scores

CVSS v3 9.8
EPSS 0.0016
EPSS Percentile 36.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull wordpress:cli-php8.2
docker pull wordpress:6.5.5-php8.2-apache

Details

VulnCheck KEV 2026-06-02
CWE
CWE-269
Status published
Products (1)
themeum/Kirki – Freeform Page Builder, Website Builder & Customizer 6.0.0 - 6.0.6
Published Jun 02, 2026
Tracked Since Jun 02, 2026