PatchSiren cyber security CVE debrief
CVE-2026-57726 Themeum CVE debrief
A CRITICAL SQL Injection vulnerability was discovered in Kirki, a WordPress plugin. The vulnerability, tracked as CVE-2026-57726, has a CVSS score of 9.3 and allows for Blind SQL Injection. The issue affects Kirki from n/a through version 6.0.12. This vulnerability can be exploited by attackers to inject malicious SQL code, potentially leading to unauthorized access to sensitive data. Administrators and users of WordPress sites utilizing the Kirki plugin should prioritize patching this vulnerability to prevent potential Blind SQL Injection attacks. The CVE record was published on 2026-07-13T10:16:39.317Z and has not been modified since then.
- Vendor
- Themeum
- Product
- Kirki
- CVSS
- CRITICAL 9.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of WordPress sites utilizing the Kirki plugin should prioritize patching this vulnerability to prevent potential Blind SQL Injection attacks. This includes reviewing the plugin version and updating to version 6.0.13 or later if necessary. Additionally, site owners should conduct a thorough inventory of WordPress sites using the Kirki plugin and implement compensating controls, such as web application firewalls, to detect and prevent SQL Injection attacks.
Technical summary
The CVE-2026-57726 vulnerability is caused by improper neutralization of special elements used in an SQL command, allowing for Blind SQL Injection. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L. The vulnerability was published on 2026-07-13T10:16:39.317Z and has not been modified since then. Affected systems have not been confirmed beyond the Kirki plugin version range.
Defensive priority
High
Recommended defensive actions
- Patch the Kirki plugin to version 6.0.13 or later
- Conduct a thorough inventory of WordPress sites using the Kirki plugin
- Implement compensating controls, such as web application firewalls, to detect and prevent SQL Injection attacks
- Monitor for suspicious database activity
- Consider removing the Kirki plugin if not essential to site functionality
Evidence notes
The CVE record was published on 2026-07-13T10:16:39.317Z and has not been modified since then. The NVD entry is currently being reviewed. The vulnerability was reported by [email protected]. Evidence of exploitation has not been reported, but defenders should verify the patch status of their Kirki plugin deployments and monitor for suspicious database activity.
Official resources
-
CVE-2026-57726 CVE record
CVE.org
-
CVE-2026-57726 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T10:16:39.317Z and has not been modified since then.