cve-2026-8206

CVE-2026-8206 is a critical privilege-escalation vulnerability in the Kirki WordPress plugin, affecting versions 6.0.0 through 6.0.6. The flaw was fixed in version 6.0.7 and reported as already being exploited to hijack administrator accounts. Site owners should update Kirki immediately, then review administrator users, recent password-reset activity, and any theme or framework bundles that may have included Kirki. This vulnerability highlights that WordPress risk increasingly hides in dependencies that themes bring along.