PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57726 Themeum CVE debrief

A CRITICAL SQL Injection vulnerability was discovered in Kirki, a WordPress plugin. The vulnerability, tracked as CVE-2026-57726, has a CVSS score of 9.3 and allows for Blind SQL Injection. The issue affects Kirki from n/a through version 6.0.12. This vulnerability can be exploited by attackers to inject malicious SQL code, potentially leading to unauthorized access to sensitive data. Administrators and users of WordPress sites utilizing the Kirki plugin should prioritize patching this vulnerability to prevent potential Blind SQL Injection attacks. The CVE record was published on 2026-07-13T10:16:39.317Z and has not been modified since then.

Vendor
Themeum
Product
Kirki
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Administrators and users of WordPress sites utilizing the Kirki plugin should prioritize patching this vulnerability to prevent potential Blind SQL Injection attacks. This includes reviewing the plugin version and updating to version 6.0.13 or later if necessary. Additionally, site owners should conduct a thorough inventory of WordPress sites using the Kirki plugin and implement compensating controls, such as web application firewalls, to detect and prevent SQL Injection attacks.

Technical summary

The CVE-2026-57726 vulnerability is caused by improper neutralization of special elements used in an SQL command, allowing for Blind SQL Injection. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. The vulnerability was published on 2026-07-13T10:16:39.317Z and has not been modified since then. Affected systems have not been confirmed beyond the Kirki plugin version range.

Defensive priority

High

Recommended defensive actions

  • Patch the Kirki plugin to version 6.0.13 or later
  • Conduct a thorough inventory of WordPress sites using the Kirki plugin
  • Implement compensating controls, such as web application firewalls, to detect and prevent SQL Injection attacks
  • Monitor for suspicious database activity
  • Consider removing the Kirki plugin if not essential to site functionality

Evidence notes

The CVE record was published on 2026-07-13T10:16:39.317Z and has not been modified since then. The NVD entry is currently being reviewed. The vulnerability was reported by [email protected]. Evidence of exploitation has not been reported, but defenders should verify the patch status of their Kirki plugin deployments and monitor for suspicious database activity.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T10:16:39.317Z and has not been modified since then.