Kirki%20%E2%80%93%20Freeform%20Page%20Builder%2C%20Website%20Builder%20%26%20Customizer

Kirki – Freeform Page Builder, Website Builder & Customizer

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-8073

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-7.5||HIGH

EPSS-Not Assigned

Published-19 May, 2026 | 18:33

Updated-19 May, 2026 | 21:00

Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.

Vendor-Themeum

Product-Kirki – Freeform Page Builder, Website Builder & Customizer

CWE ID-CWE-23

Relative Path Traversal

CVE-2026-8096

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.5||MEDIUM

EPSS-Not Assigned

Published-19 May, 2026 | 18:33

Updated-19 May, 2026 | 21:00

Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.

Vendor-Themeum

Product-Kirki – Freeform Page Builder, Website Builder & Customizer

CWE ID-CWE-862

Missing Authorization