EXECUTIVE SUMMARY:
CVE-2026-8206 with a CVSS score of 9.8 is a critical unauthenticated privilege escalation flaw in the Kirki WordPress plugin, affecting versions that introduced the vulnerable code. The defect resides in a custom REST API endpoint used for password‑reset requests; the handle_forgot_password() routine accepts a username and an attacker‑controlled email address, but it validates the user only by the supplied username and then sends the reset token to the supplied email rather than the account’s registered address. An attacker can exploit this by sending a crafted POST request to the endpoint with a high‑privilege username and an external email they control, receiving a valid password‑reset link without any prior authentication. This grants the adversary the ability to set a new password, assume full administrative control of the WordPress site, install malicious plugins, modify content, or deploy persistent web shells. Business impact includes complete site takeover, data theft, reputational damage, and potential compliance violations. Exploitation requires only network access to the vulnerable site’s REST API and knowledge of an existing privileged username; no authentication or prior foothold is needed.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-8206 with a CVSS score of 9.8 is a critical unauthenticated privilege escalation flaw in the Kirki WordPress plugin, affecting versions that introduced the vulnerable code. The defect resides in a custom REST API endpoint used for password‑reset requests; the handle_forgot_password() routine accepts a username and an attacker‑controlled email address, but it validates the user only by the supplied username and then sends the reset token to the supplied email rather than the account’s registered address. An attacker can exploit this by sending a crafted POST request to the endpoint with a high‑privilege username and an external email they control, receiving a valid password‑reset link without any prior authentication. This grants the adversary the ability to set a new password, assume full administrative control of the WordPress site, install malicious plugins, modify content, or deploy persistent web shells. Business impact includes complete site takeover, data theft, reputational damage, and potential compliance violations. Exploitation requires only network access to the vulnerable site’s REST API and knowledge of an existing privileged username; no authentication or prior foothold is needed.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/kirki-plugin-vulnerability-wordpress-takeover/