-
Hackers are actively exploiting a critical flaw in the Kirki WordPress plugin to hijack administrator accounts.
-
Two newly disclosed vulnerabilities in Avada Builder could allow attackers to steal sensitive data and compromise websites.
-
Security experts urge website owners to update affected plugins immediately to prevent exploitation.
WordPress website owners face a new wave of security threats after researchers uncovered multiple high-impact vulnerabilities affecting two widely used plugins, Kirki and Avada Builder. The flaws could allow attackers to take over administrator accounts, steal sensitive information, and gain complete control of vulnerable websites.
Security researchers have already observed active exploitation attempts targeting the Kirki vulnerability, raising concerns for hundreds of thousands of websites that may still be running unpatched versions.
Hackers Exploit Kirki Flaw to Seize Administrator Accounts
Security firm Wordfence warned that threat actors are actively exploiting a critical privilege escalation vulnerability tracked as CVE-2026-8206 in the Kirki plugin, a visual website builder and theme customization tool installed on more than 500,000 WordPress sites. According to Wordfence, its firewall blocked more than 222 attack attempts against customers within a 24-hour period.
The vulnerability affects Kirki versions 6.0.0 through 6.0.6 and stems from a password reset mechanism exposed through a custom REST API endpoint. Attackers can abuse the flaw by submitting a legitimate username while supplying an email address under their control.
Instead of sending the password reset link to the account owner’s registered email address, the plugin delivers it to the attacker-provided address. This behavior allows unauthenticated threat actors to generate valid password reset links for virtually any account on a vulnerable website.
As a result, attackers can gain access to administrator accounts and take full control of affected sites. Once inside, threat actors can install malicious plugins, alter website content, deploy web shells, establish persistent backdoors, and access sensitive databases.
Security researcher CHOIGYENGMIN discovered the vulnerability and reported it to Wordfence on May 4, 2026. Wordfence notified the plugin vendor on May 16, and developers released a fix in version 6.0.7 two days later. Researchers advised website administrators to update immediately or disable the plugin until they can deploy the patched version.
Avada Builder Bugs Expose Sensitive Files and Databases
Researchers also disclosed two serious vulnerabilities affecting the Avada Builder plugin, a drag-and-drop page builder used with the popular Avada WordPress theme and installed on roughly one million websites.
Security researcher Rafie Muhammad discovered both flaws through the Wordfence Bug Bounty Program and received rewards totaling more than $4,400 for the findings.
The first issue, tracked as CVE-2026-4782, allows authenticated users with subscriber-level access to read arbitrary files on a server. The vulnerability affects Avada Builder versions up to and including 3.15.2.
Wordfence explained that the flaw exists within the plugin’s shortcode rendering functionality. Attackers can exploit a parameter known as “custom_svg” to access sensitive files because the plugin fails to properly validate file types and sources.
Researchers warned that attackers could retrieve files such as wp-config.php, which often contains database credentials, authentication secrets, and cryptographic keys. Access to that file could ultimately lead to administrator account compromise and complete website takeover.
Although the vulnerability requires a registered account, researchers noted that many WordPress sites allow user registrations, reducing the effectiveness of that barrier.
Unpatched Sites Face Elevated Risk
The second Avada Builder vulnerability, CVE-2026-4798, is a time-based blind SQL injection flaw that affects versions up to 3.15.1.
Researchers said attackers can exploit the issue without authentication if a website previously used WooCommerce and later deactivated the plugin while leaving its database tables intact.
The flaw stems from insufficient validation of user-controlled input passed through the “product_order” parameter. Attackers can exploit the weakness to extract sensitive database information, including password hashes and other confidential records.
Muhammad reported both vulnerabilities to Wordfence on March 21, 2026. Wordfence notified the plugin publisher three days later. Developers released a partial fix in version 3.15.2 on April 13, followed by a complete patch in version 3.15.3 on May 12.
Security experts urged website owners to upgrade Kirki to version 6.0.7 and Avada Builder to version 3.15.3 as soon as possible, warning that unpatched systems remain vulnerable to account hijacking, data theft, and full site compromise.
The urgency of patching was highlighted in another recent incident. Hackers planted backdoors in over 30 WordPress plugins, forcing an emergency security response, a reminder that WordPress site owners must stay vigilant.
