CVE-2026-8073

Kirki · Kirki – Freeform Page Builder, Website Builder & Customizer plugin

The Kirki WordPress plugin is vulnerable to arbitrary file deletion due to missing capability checks and insufficient path validation in the 'downloadZIP' function.

Executive summary

The Kirki WordPress plugin contains an arbitrary file deletion vulnerability that could allow an unauthenticated attacker to remove critical system files.

Vulnerability

The vulnerability resides in the downloadZIP function, which fails to perform proper capability checks or validate file paths. This allows an unauthenticated attacker to trigger file deletion operations on the hosting server.

Business impact

This vulnerability poses a critical risk to site availability and integrity. A CVSS score of 7.5 indicates that an attacker could delete sensitive configuration files or core application components, leading to a complete denial of service or site compromise.

Remediation

Immediate Action: Update the Kirki plugin to the latest available version provided by the vendor to remediate the insecure function.

Proactive Monitoring: Review file integrity logs for unauthorized deletion events and monitor WordPress error logs for suspicious activity related to plugin-specific functions.

Compensating Controls: If an update is not immediately available, consider disabling the Kirki plugin or implementing a WAF rule to block requests targeting the downloadZIP function.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Unauthorized file deletion is a severe security event that can lead to permanent data loss or total site failure. It is imperative that site administrators update the affected plugin immediately or remove it if it is not essential to the site's operation.