Kirki – Freeform Page Builder, Website Builder & Customizer
Approved changes feed: RSS · Atom
cpe:2.3:a:themeum:kirki_–_freeform_page_builder,_website_builder_&_customizer:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Themeum (12449a9f-b8a3-5f81-9e39-f958a6d45415) |
|---|---|
| Product | Kirki – Freeform Page Builder, Website Builder & Customizer (d24d07e8-217e-5762-ad7d-8d645ed01577) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-8206 |
vulnerable | 2026-06-03 15:27:57.755479 |
Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'
CRITICAL (9.8)
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.
Published: 2026-06-02T03:28:49.326Z
Updated: 2026-06-02T10:47:47.685Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-8096 |
vulnerable | 2026-06-03 15:27:57.627449 |
Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action
MEDIUM (6.5)
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
Published: 2026-05-19T18:33:51.799Z
Updated: 2026-05-19T19:35:37.550Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-8073 |
vulnerable | 2026-06-03 15:27:57.608301 |
Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP
HIGH (7.5)
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
Published: 2026-05-19T18:33:52.658Z
Updated: 2026-05-19T20:01:00.455Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.