WordPress Plugin Flaw Opens Door to Privilege Escalation Attacks Across 500,000+ Sites

A critical CVE-2026-8206 vulnerability in the Kirki WordPress plugin (versions 6.0.0–6.0.6) allows unauthenticated attackers to perform full account takeover — including admin accounts — by supplying an attacker-controlled email during the password reset process. Wordfence validated the issue, released protections, and Themeum published a patch in version 6.0.7; site owners are urged to update immediately and review logs for suspicious password reset activity.