• Home
  • cyber
  • Themeum: WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks
cyber Vulnerability

Themeum: WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks

May 8, 2026 2 min read
Themeum: WordPress Plugin Vulnerability Exposes 500,000+ Websites to Privilege Escalation Attacks

Critical Kirki WordPress Plugin Flaw Exposes 500,000+ Sites to Account Takeovers

A severe security vulnerability in the Kirki WordPress plugin (CVE-2026-8206, CVSS 9.8) has left over 500,000 websites at risk of account takeover attacks, with 150,000 sites currently vulnerable due to outdated versions. The flaw affects Kirki versions 6.0.0 through 6.0.6, a widely used tool for WordPress customization and page building.

Discovered by security researcher Choigyeongmin and reported via the Wordfence Bug Bounty Program, the vulnerability stems from a flawed password reset mechanism in the plugin’s REST API. The handle_forgot_password() function improperly trusts user input, allowing attackers to manipulate the reset process. By submitting a valid username (e.g., an administrator) alongside an attacker-controlled email, threat actors can intercept the reset link, set a new password, and gain full administrative access.

Successful exploitation could lead to complete site compromise, including the installation of malicious plugins, backdoors, rogue admin accounts, or persistent webshells aligning with common privilege escalation and persistence tactics.

Wordfence validated the issue on May 8, 2026, deploying firewall protections for premium users the following day. The plugin’s developer, Themeum, was notified on May 15, 2026, and released a patch (version 6.0.7) within three days. Free Wordfence users will receive firewall coverage on June 8, 2026.

Given the low complexity of exploitation and high impact, the vulnerability poses a significant risk to WordPress environments, particularly those with exposed user enumeration or public login pages. Administrators are urged to update immediately to mitigate potential breaches.

Source: https://cybersecuritynews.com/wordpress-plugin-vulnerability-exposes-2/

WPGIZ cybersecurity rating report: https://www.rankiteo.com/company/wpgiz

"id": "WPG1780496633",
"linkid": "wpgiz",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Various (WordPress ecosystem)',
                        'location': 'Global',
                        'name': 'WordPress sites using Kirki plugin',
                        'size': '500,000+ sites (150,000 vulnerable)',
                        'type': 'Websites'}],
 'attack_vector': 'Improper Input Validation in REST API',
 'date_detected': '2026-05-08',
 'date_resolved': '2026-05-18',
 'description': 'A severe security vulnerability in the Kirki WordPress plugin '
                '(CVE-2026-8206, CVSS 9.8) has left over 500,000 websites at '
                'risk of account takeover attacks, with 150,000 sites '
                'currently vulnerable due to outdated versions. The flaw '
                'affects Kirki versions 6.0.0 through 6.0.6, allowing '
                'attackers to manipulate the password reset mechanism and gain '
                'full administrative access.',
 'impact': {'operational_impact': 'Complete site compromise, installation of '
                                  'malicious plugins/backdoors, rogue admin '
                                  'accounts, persistent webshells',
            'systems_affected': '500,000+ websites (150,000 vulnerable)'},
 'investigation_status': 'Resolved',
 'post_incident_analysis': {'corrective_actions': 'Patch released to fix the '
                                                  'vulnerability, firewall '
                                                  'protections deployed by '
                                                  'Wordfence',
                            'root_causes': 'Flawed password reset mechanism in '
                                           'the plugin’s REST API, improper '
                                           'trust of user input in the '
                                           '`handle_forgot_password()` '
                                           'function'},
 'recommendations': 'Administrators are urged to update to Kirki version 6.0.7 '
                    'immediately to mitigate potential breaches. Sites should '
                    'also secure exposed user enumeration or public login '
                    'pages.',
 'references': [{'source': 'Wordfence Bug Bounty Program'}],
 'response': {'containment_measures': 'Firewall protections deployed by '
                                      'Wordfence (premium users on May 9, '
                                      '2026; free users on June 8, 2026)',
              'remediation_measures': 'Patch released (Kirki version 6.0.7) on '
                                      'May 18, 2026',
              'third_party_assistance': 'Wordfence Bug Bounty Program, '
                                        'Wordfence Firewall Protection'},
 'title': 'Critical Kirki WordPress Plugin Flaw Exposes 500,000+ Sites to '
          'Account Takeovers',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'CVE-2026-8206 (CVSS 9.8)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.