Is CVE-2026-8206 in the CISA Known Exploited Vulnerabilities catalog?

CVE-2026-8206 is not currently listed in the CISA KEV catalog.

Which frameworks does CVE-2026-8206 affect?

CVE-2026-8206 affects WordPress.

Vulnerability intelligence

CVE-2026-8206

A broken password reset mechanism in Kirki versions 6.0.0 through 6.0.6 lets unauthenticated attackers escalate privileges and take over WordPress admin accounts.

WordPress 2026

What WebPulse reported · 4 analyses

Kirki WordPress Plugin: CVSS 9.8 Flaw Exposes 500,000 Sites to Unauthenticated Takeover

A broken password reset mechanism in Kirki versions 6.0.0 through 6.0.6 lets unauthenticated attackers escalate privileges and take over WordPress admin account

June 18, 2026

Kirki Plugin: 500,000 WordPress Sites Exposed to Admin Account Takeover via Password Reset

CVE-2026-8206. CVSS 9.8. The Kirki page builder plugin's password reset mechanism lets attackers take over administrator accounts. 150,000 sites running the vul

June 13, 2026

Avada Builder: WordPress's #1 Premium Theme Has an Unauthenticated SQL Injection

CVE-2026-4798. CVSS 7.5. The best-selling WordPress theme of all time — 700,000+ sales — lets unauthenticated attackers extract hashed passwords from the databa

June 13, 2026

June 2026: Six CVSS 9.8 Vulnerabilities. 1.14 Million WordPress Sites.

Six critical vulnerabilities actively exploited at the same time. 29,300+ attacks per day on one plugin alone. A premium plugin supply-chain compromised. The Wo

June 9, 2026

View CVE-2026-8206 on the NIST National Vulnerability Database →

Related vulnerabilities

CVE-2026-8181 CVE-2026-3844 CVE-2026-10795 CVE-2026-4020 CVE-2026-1293 CVE-2026-8732 CVE-2026-4798 CVE-2026-3300