Critical CVE-2026-8206 Flaw in Kirki Plugin Exposes 500,000 WordPress Sites to Attacks

**Critical Kirki plugin vulnerability (CVE-2026-8206) enables unauthenticated account hijacks and site takeover via a misconfigured password reset REST endpoint; affects Kirki 6.0.0–6.0.6 (≈500,000 sites, ~150,000 actively vulnerable), carries a CVSS 9.8, and was patched in version 6.0.7 on 2026-05-18 — administrators should update or disable the plugin and monitor for suspicious password-reset activity.**