An unauthenticated account takeover vulnerability in the Kirki WordPress plugin allows attackers to compromise user accounts and escalate privileges.

The vulnerability exists because the plugin fails to properly validate the username-to-email mapping during password reset requests, allowing an unauthenticated attacker to trigger a password reset for any registered user to an attacker-controlled email address.

This flaw facilitates full account takeover, which can lead to unauthorized access to sensitive site data, administrative panel control, and the potential for malicious code injection into the website. With a CVSS score of 9.8, this represents a critical risk to site integrity and user trust.

Immediate Action: Update the Kirki plugin to the latest version immediately to resolve the password reset logic error.

Proactive Monitoring: Audit user account changes and recent password reset requests for suspicious activity or unauthorized account modifications.

Compensating Controls: Disable the password reset functionality if possible, or implement a rate-limiting mechanism on the reset endpoint via a security plugin or WAF.

Public Exploit Available: Unknown

Account takeover vulnerabilities are frequently targeted by automated scanners. Site administrators should prioritize updating the Kirki plugin immediately to prevent unauthorized access and potential site-wide compromise.