Critical Kirki Flaw Exploited to Hijack WordPress Admin Accounts

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin powers more than half a million WordPress sites, offering designers a drag‑and‑drop interface for theme customization. A recent code change introduced a custom REST endpoint, handle_forgot_password(), that accepted any email address during password‑reset requests. By supplying a victim’s username and an attacker‑controlled email, malicious actors could generate a valid reset link and hijack the account, effectively bypassing WordPress’s built‑in authentication safeguards.

Wordfence, a leading WordPress security firm, first observed the abuse in early May 2026. Its firewall blocked over 222 attempts within a 24‑hour window, confirming active exploitation across the ecosystem. Because the vulnerability requires no credentials and works against any user—admin or otherwise—it escalates the risk profile of any site running the vulnerable Kirki versions. Compromised sites can become vectors for ransomware, SEO poisoning, or large‑scale data exfiltration, amplifying the threat beyond the individual blog or corporate page.

The vendor responded quickly, issuing version 6.0.7 on May 18, 2026, which removes the insecure endpoint and validates email ownership. Administrators should apply the patch immediately or deactivate the plugin until the fix is deployed. In parallel, best‑practice hardening—such as limiting REST API exposure, enforcing strong passwords, and employing multi‑factor authentication—remains essential. This incident underscores the broader challenge of third‑party plugin security in the WordPress ecosystem and the need for continuous monitoring and rapid patch management to protect digital assets.