Critical Kirki flaw exploited to hijack WordPress admin accounts

A critical vulnerability (CVE-2026-8206) in the Kirki WordPress plugin allowed attackers to request password resets for any user and have the reset links sent to an attacker-controlled email, enabling trivial account hijacking including administrators; Wordfence observed active exploitation and blocked multiple attempts, the issue impacts versions up to 6.0.6 (affecting a large portion of the plugin's userbase), and a patch was released in version 6.0.7 — site owners should upgrade or disable the plugin immediately.