CVE-2026-8073
Kirki · Kirki – Freeform Page Builder, Website Builder & Customizer plugin
The Kirki WordPress plugin is vulnerable to arbitrary file deletion due to missing capability checks and insufficient path validation in the 'downloadZIP' function.
Executive summary
The Kirki WordPress plugin contains an arbitrary file deletion vulnerability that could allow an unauthenticated attacker to remove critical system files.
Vulnerability
The vulnerability resides in the downloadZIP function, which fails to perform proper capability checks or validate file paths. This allows an unauthenticated attacker to trigger file deletion operations on the hosting server.
Business impact
This vulnerability poses a critical risk to site availability and integrity. A CVSS score of 7.5 indicates that an attacker could delete sensitive configuration files or core application components, leading to a complete denial of service or site compromise.
Remediation
Immediate Action: Update the Kirki plugin to the latest available version provided by the vendor to remediate the insecure function.
Proactive Monitoring: Review file integrity logs for unauthorized deletion events and monitor WordPress error logs for suspicious activity related to plugin-specific functions.
Compensating Controls: If an update is not immediately available, consider disabling the Kirki plugin or implementing a WAF rule to block requests targeting the downloadZIP function.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Unauthorized file deletion is a severe security event that can lead to permanent data loss or total site failure. It is imperative that site administrators update the affected plugin immediately or remove it if it is not essential to the site's operation.