CVE-2026-8073
7.5 HIGHThe Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insu...
Published: 2026-05-19 · Last updated: 2026-05-19
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-23
Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8073
- [Other]https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60
- [Other]https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php
- [Other]https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve
Related CVEs
Same CWE
- CVE-2026-34026 — Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter ...
- CVE-2026-48569 — Improper input validation in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally (7.1 HIGH)
- CVE-2026-47287 — Relative path traversal in Visual Studio Code allows an unauthorized attacker to perform tampering over a network (6.5 MEDIUM)
- CVE-2026-48681 — OpenStack Ironic through before 35.0.2 allows file overwrite via directory traversal during deployment with a crafted ISO image (5.9 MEDIUM)
- CVE-2026-5422 — A path traversal vulnerability exists in jupyter-server version 2.17.0 due to an incorrect root directory boundary check in the _get_os_p... (8.1 HIGH)