PatchSiren cyber security CVE debrief
CVE-2026-15457 themeum CVE debrief
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability. The vulnerability has a CVSS score of 4.9 and a severity of MEDIUM. Users of the plugin should be aware of this vulnerability and take necessary actions to protect their sites.
- Vendor
- themeum
- Product
- Kirki – Freeform Page Builder, Website Builder & Customizer
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Users of the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress, especially those with editor-level access and above, should be aware of this vulnerability and take necessary actions to protect their sites. This includes updating the plugin to a version that fixes this vulnerability and restricting access to the plugin's functionality to only trusted users.
Technical summary
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability. The vulnerability has a CVSS score of 4.9 and a severity of MEDIUM. Users of the plugin should be aware of this vulnerability and take necessary actions to protect their sites. To address this vulnerability, defenders should focus on updating the plugin to a version that fixes the issue, restricting access to the plugin's functionality, and monitoring server logs for suspicious activity. Additionally, reviewing compensating controls and verifying affected scope and severity with the vendor or other trusted sources is crucial.
Defensive priority
High priority should be given to updating the Kirki – Freeform Page Builder, Website Builder & Customizer plugin to a version that fixes this vulnerability. Additionally, defenders should monitor server logs for suspicious activity and review compensating controls for exposed systems while remediation is scheduled and verified. It is also recommended to track exceptions, retest remediated assets, and close the item only after evidence is documented. Users should also consider reviewing the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance, and plan vendor-supported updates or mitigations through normal change control where exposure is confirmed. Finally, checking relevant monitoring, detection, and logs for exposed assets that need extra review is crucial. Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up. Asset inventory management and rollback/change windows planning are also advised. Source tracking should be implemented to monitor for similar vulnerabilities in the future. Compensating controls should be reviewed for exposed systems while remediation is scheduled and verified. Monitoring and detection capabilities should be used to identify potential exploitation attempts. A thorough review of the vulnerability and its potential impact on the organization should be conducted to ensure that all necessary steps are taken to mitigate the vulnerability effectively. The organization should also consider implementing a process for quickly responding to and remediating vulnerabilities like this one in the future. This may include establishing a vulnerability management program that includes regular reviews of vulnerability information, prioritization of remediation efforts, and implementation of compensating controls where necessary. By taking these steps, organizations can help protect themselves against potential exploitation of this vulnerability and reduce the risk of a successful attack. It is essential to note that the organization should also review its current security policies and procedures to ensure that they are adequate and effective in managing
Recommended defensive actions
- Update the Kirki – Freeform Page Builder, Website Builder & Customizer plugin to a version that fixes this vulnerability.
- Restrict access to the plugin's functionality to only trusted users.
- Monitor server logs for suspicious activity.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The vulnerability was reported by [email protected] and is publicly known. The CVE record was published on 2026-07-17T05:16:38.323Z and has not been modified since then. The source details are limited, and defenders should verify the affected scope and severity with the vendor or other trusted sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T05:16:38.323Z and has not been modified since then.