CRITICALVulnerability
Verified
Global

NVD CRITICAL: CVE-2026-8206 — The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordP...

·Source: NIST NVD

Updated:

Executive Summary

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered

Analysis

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address. CVSS Score: 9.8. Published: 2026-06-02T04:17:03.550.

Indicators of Compromise (1)

CVE (1)
CVE-2026-8206
NVDMITRE CVE
Source Attribution

Originally published by NIST NVD on Jun 2, 2026. Verified by: NIST.

Related Threats

MEDIUMVulnerabilityNEW

Auditors Rip NIST Management of NVD Program

<img src="https://ismg-cdn.nyc3.cdn.digitaloceanspaces.com/articles/auditors-rip-nist-management-nvd-program-image_small-4-a-31848.jpg" align=right hspace=4><b>Auditors Accuse Agency of Mismanagement and Program Overlap</b><br>Management by the National Institute of Standards and Technology of a repository of vulnerability data came under sharp criticism from federal auditors who said the agency a

Bank Info Security
MEDIUMVulnerability

Apple Wallet to get bill-splitting tool

Apple is prepping an iPhone feature that will enable users to split bills in by taking a photograph of a receipt, according to Bloomberg.

Finextra
CRITICALVulnerability

Two-year old Oracle WebLogic Server vulnerability is being exploited

US federal government departments have been given until Thursday to patch a two-year old high severity vulnerability in Oracle WebLogic Server that could allow an unauthenticated attacker to access critical data. The vulnerability, CVE-2024-21182 , was added Monday to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog , giving federal Oracle

CVE-2024-21182CVE-2026-21962
CSO Online