SECURITYBLEEPING COMPUTER
Critical Kirki flaw exploited to hijack WordPress admin accounts
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including administrators. The flaw allows unauthorized access to WordPress admin accounts through the Kirki plugin.
Related Signal
Adjacent reporting
- WP Maps Pro bug exploited to create admin accounts on WordPress sites
- Hackers exploit auth bypass flaw in Burst Statistics WordPress plugin
- Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
- Critical WP Maps Pro Flaw Actively Exploited to Create Admin Accounts
- The Internet Is Falling Down- CPanel/WHM Authentication Bypass CVE-2026-41940
- CISA Adds Actively Exploited Linux Root Access Bug CVE-2026-31431 to KEV