03 June 2026
Reference: CVE-2026-8206
1. What is being reported?
The Kirki plugin, used to build and customise WordPress websites, has a weakness that lets attackers trick the system into sending password reset links to their own email address instead of the legitimate user’s. This means they can reset passwords and gain access to accounts they shouldn’t have.
2. What this means in plain English
If your website uses this plugin, an attacker could potentially take over your site’s administrator account. This could lead to your website being changed, data stolen, or your site being used to attack others. It’s a serious risk for any organisation relying on WordPress with this plugin installed.
3. Could this affect a small business?
Small businesses, charities, clubs or any organisation using WordPress with the Kirki plugin versions 6.0.0 to 6.0.6 are at risk. If you don’t use WordPress or don’t have this plugin installed, you are not affected.
4. What to do now
- Check if your website uses the Kirki plugin and note its version.
- If you use Kirki versions 6.0.0 to 6.0.6, update the plugin immediately to a fixed version when available.
- Ask your IT provider to verify your website’s user accounts for any suspicious password reset activity.
- Consider adding extra security measures like two-factor authentication for WordPress logins.
5. Ask your IT provider
Can you confirm if our WordPress site uses the Kirki plugin version 6.0.0 to 6.0.6, and if so, has it been updated to fix the recent critical vulnerability CVE-2026-8206?
6. Bottom line
If you use the Kirki plugin on your WordPress site, update it now to prevent attackers from taking over your accounts.
Information based on NVD, CISA KEV, and reputable security reporting.