{“lastseen”:””,”description”:”The Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the ‘downloadZIP’ function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.”,”published”:”2026-05-19T18:33:52.658Z”,”modified”:”2026-05-19T18:33:52.658Z”,”type”:”cve”,”title”:”Kirki \\u003c= 6.0.6 – Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP”,”source”:”Wordfence”,”references”:”https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/b073edd0-3f40-423e-976e-996b29caf66e?source=cve\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/kirki\/tags\/6.0.1\/includes\/API.php#L60\\nhttps:\/\/plugins.trac.wordpress.org\/changeset\/3535640\/kirki\/trunk\/includes\/API.php”,”id”:”CVE-2026-8073″,”bulletinFamily”:””,”cwe”:[“CWE-23″],”cvelist”:null,”sourceData”:”themeum Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer 0″,”sourceHref”:””,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer”,”version”:”0″,”vendor”:”themeum”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”The Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,16,12,15,13,7,11,5],"class_list":["post-55622","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n