https://aretiq.ai/tags/privilege-escalation/Recent content in Privilege-Escalation on Aretiq AIHugoen-usTue, 02 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260602-cve-2026-8206-themeum-kirki-wordpress-plugin-password-reset-email-redirect-privilege-escalation/Tue, 02 Jun 2026 00:00:00 +0000https://aretiq.ai/research/vul260602-cve-2026-8206-themeum-kirki-wordpress-plugin-password-reset-email-redirect-privilege-escalation/<h2 id="1-overview">1. Overview</h2> <p>A vulnerability exists in the Kirki – Freeform Page Builder, Website Builder &amp; Customizer plugin for WordPress, in the password reset functionality exposed via the REST API. The <code>handle_forgot_password</code> endpoint accepts a username and an arbitrary email address; when a reset is requested by username, the plugin generates a valid password reset key but sends the reset link to the attacker-supplied email instead of the user&rsquo;s registered email. An unauthenticated attacker can exploit this to receive the password reset link for any user account—including administrator—and take over the account by resetting its password. The vulnerability affects versions 6.0.0 through 6.0.6 and was fixed in version 6.0.7.</p>