On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduced in the 6.0 major release. This vulnerability makes it possible for unauthenticated attackers to take over arbitrary user accounts on the site, including administrator accounts, by leveraging the plugin’s password reset functionality to have the…
The post Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin appeared first on Wordfence.
This article has been indexed from Blog – Wordfence
Read the original article: