Vulnerabilities ›

CVE-2026-8073

High

CWE-23 — Weakness Type

                    Published: May 19, 2026                      ·  Modified: May 26, 2026                      ·  Source: NVD                

CVSS v3

7.5

🔗 NVD Official

📄 Description (English)

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.

🤖 AI Executive Summary

The Kirki WordPress plugin versions up to 6.0.6 contain a vulnerability allowing unauthenticated attackers to delete arbitrary files in the uploads directory due to insufficient path validation. This affects websites using this popular page builder plugin without proper access controls.

📄 Description (Arabic)

تحتوي إضافة Kirki للصفحات المخصصة في WordPress على ثغرة في دالة downloadZIP تسمح للمهاجمين غير المصرحين بحذف الملفات التعسفية في مجلد التحميلات. الثغرة ناتجة عن عدم كفاية التحقق من مسارات الملفات وغياب فحوصات القدرات الأمنية.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 21, 2026 17:18

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1070.004 T1566.002 T1190

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update the Kirki plugin to version 6.0.7 or later immediately. If immediate patching is not possible, disable the plugin and implement Web Application Firewall rules to block requests to the vulnerable downloadZIP function. Restrict file permissions on the WordPress uploads directory and implement access controls.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Kirki إلى الإصدار 6.0.7 أو أحدث فوراً. إذا لم يكن التحديث ممكناً، قم بتعطيل الإضافة وتطبيق قواعد جدار حماية تطبيقات الويب لحجب الطلبات للدالة المعرضة. قيد صلاحيات الملفات في مجلد التحميلات وطبق ضوابط الوصول.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2 5.2.1

🔵 SAMA CSF

AC-2 AC-3 SI-2

🟡 ISO 27001:2022

A.12.2.1 A.12.6.1 A.14.2.1

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b2...

security@wordfence.com

📊 CVSS Score

7.5

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score7.5

CWECWE-23

EPSS0.12%

Exploit No

Patch ✗ No

Published 2026-05-19

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-23

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-8073

Introduce Yourself

Sign In Required