Hackers Exploit Critical WordPress Plugin Flaw for Admin Account Takeovers

Summary

Hackers have been exploiting a critical privilege escalation vulnerability in the Kirki plugin for WordPress, identified as CVE-2026-8206. This flaw allows unauthenticated attackers to hijack user accounts by generating password reset links sent to email addresses they control. Detected by Wordfence, over 222 attempts were blocked within 24 hours. The vulnerability affects versions up to 6.0.6 of the plugin, which is active on more than half a million websites.

What happened

The Kirki plugin, known for its freeform visual builder and advanced theme customizer capabilities, has been compromised by a critical flaw. This vulnerability allows attackers to exploit the password reset functionality, enabling them to hijack user accounts with ease. The issue arises from the plugin accepting arbitrary email addresses during password reset requests, allowing attackers to redirect reset links to their own email addresses.

How the attack works

The exploitation of CVE-2026-8206 involves manipulating the Kirki plugin's custom REST API endpoint for password resets. When a username is provided in a password reset request, the plugin generates a valid reset link but sends it to an attacker-controlled email address instead of the registered one. This flaw requires minimal effort from attackers and has been actively exploited, posing significant risks to website security.

Affected products and fixed versions

The vulnerability impacts Kirki plugin versions 6.0.0 through 6.0.6. These versions are used by nearly 40% of the plugin's userbase, according to WordPress.org download statistics. The vendor released a fix in version 6.0.7 on May 18, 2026, addressing the vulnerability and mitigating the risk of account takeovers.

Exploitation status

CVE-2026-8206 is actively exploited, as confirmed by Wordfence's detection of over 222 attack attempts within a single day. The ease with which attackers can exploit this flaw underscores the critical nature of the vulnerability and the urgent need for website owners to update their plugins.

Indicators of compromise

Indicators of compromise include unauthorized password reset requests and unexpected account takeovers, particularly those involving admin-level access. Monitoring for unusual activity related to password resets and account changes is crucial for early detection of exploitation attempts.

Detection opportunities

Website administrators can detect potential exploitation by monitoring logs for abnormal password reset requests and unauthorized account activities. Implementing additional verification steps during the password reset process can also help identify and block malicious attempts.

Timeline

• May 4, 2026: Security researcher CHOIGYENGMIN discovers the vulnerability.
• May 16, 2026: Wordfence notifies the vendor of the flaw.
• May 18, 2026: Version 6.0.7 is released, fixing the vulnerability.

Why this matters for defenders

This vulnerability highlights the importance of timely updates and vigilant monitoring in maintaining website security. The active exploitation of CVE-2026-8206 demonstrates how quickly attackers can exploit critical flaws to gain unauthorized access, emphasizing the need for proactive defense measures.

Defender guidance

Website owners must immediately upgrade to Kirki plugin version 6.0.7 or disable the plugin if an update is not feasible. Additionally, implementing enhanced monitoring of password reset requests and account activities can help detect and prevent exploitation attempts. Regularly reviewing and updating security configurations is essential for protecting against similar vulnerabilities.

What remains unclear

Further details on the specific methods attackers use to exploit this vulnerability beyond generating password reset links are not yet confirmed. Understanding these tactics could provide deeper insights into preventing future attacks.