{“lastseen”:””,”description”:”The Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.”,”published”:”2026-05-19T18:33:51.799Z”,”modified”:”2026-05-19T18:33:51.799Z”,”type”:”cve”,”title”:”Kirki \\u003c= 6.0.6 – Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via ‘kirki_wp_admin_get_apis’ Action”,”source”:”Wordfence”,”references”:”https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/id\/1a4414b1-6a49-42f8-9927-93763d1502ce?source=cve\\nhttps:\/\/plugins.trac.wordpress.org\/browser\/kirki\/tags\/6.0.4\/includes\/Ajax.php#L675\\nhttps:\/\/plugins.trac.wordpress.org\/changeset\/3535640\/kirki”,”id”:”CVE-2026-8096″,”bulletinFamily”:””,”cwe”:[“CWE-862″],”cvelist”:null,”sourceData”:”themeum Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer 0″,”sourceHref”:””,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer”,”version”:”0″,”vendor”:”themeum”,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:””,”description”:”The Kirki \u2013 Freeform Page Builder, Website Builder \\u0026 Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,26,12,21,13,7,11,5],"class_list":["post-55623","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n