CRITICALAdvisoryJun 04, 2026
Action required
Immediately identify all WordPress instances running Kirki plugin and patch to version 6.0.7 or later. Search logs for POST requests to /wp-json/kirki* endpoints with password reset parameters and review password reset events for suspicious email redirects.
Affected products
Kirki - Freeform Page Builder, Website Builder & CustomizerDefiant (Wordfence)
CVE IDs
Linked articles