{"schema_version":"1.0","report_url":"https://aretiq.ai/research/vul260602-cve-2026-8206-themeum-kirki-wordpress-plugin-password-reset-email-redirect-privilege-escalation/","date":"2026-06-02","last_modified":"2026-06-02","cve":"CVE-2026-8206","title":"CVE-2026-8206 — Themeum Kirki WordPress Plugin Password Reset Email Redirect Privilege Escalation","vulnerability_name":"Themeum Kirki WordPress Plugin Password Reset Email Redirect Privilege Escalation","vendor":"Themeum","product":"Kirki WordPress Plugin","component":"CompLibFormHandler","binary":"CompLibFormHandler.php","impact":"EoP","cwe":["CWE-640","CWE-287"],"severity":{"cvss_v4_score":9.2,"cvss_v4_vector":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},"attack_vector":"Network","patch_kb":"6.0.7","poc_verified":true,"poc_download":"https://aretiq.ai/downloads/","tags":["cve-2026-8206","wordpress","kirki","privilege-escalation","password-reset","rest-api"],"summary":"1. Overview A vulnerability exists in the Kirki – Freeform Page Builder, Website Builder \u0026 Customizer plugin for WordPress, in the password reset functionality exposed via the REST API. The handle_forgot_password endpoint accepts a username and an arbitrary email address; when a reset is requested by username, the plugin generates a valid password reset key but sends the reset link to the attacker-supplied email instead of the user’s registered email. An unauthenticated attacker can exploit this to receive the password reset link for any user account—including administrator—and take over the account by resetting its password. The vulnerability affects versions 6.0.0 through 6.0.6 and was fixed in version 6.0.7.\n"}