PatchSiren cyber security CVE debrief
CVE-2026-8073 themeum CVE debrief
CVE-2026-8073 is a high-severity flaw in the Kirki WordPress plugin that can let an unauthenticated attacker trigger arbitrary file deletion, with the impact limited to paths under the WordPress uploads base directory. The issue is tied to insufficient file path validation and a missing capability check in the downloadZIP function. NVD lists the vulnerability as deferred, while Wordfence references the affected code location and a later changeset in the WordPress plugin repository.
- Vendor
- themeum
- Product
- Kirki – Freeform Page Builder, Website Builder & Customizer
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
WordPress site owners and administrators running the Kirki – Freeform Page Builder, Website Builder & Customizer plugin, especially any site still on version 6.0.6 or earlier. Teams responsible for WordPress plugin patching, media/uploads workflows, and site integrity monitoring should prioritize this advisory.
Technical summary
The supplied NVD record describes CVE-2026-8073 as an arbitrary file deletion issue in Kirki caused by insufficient file path validation and a missing capability check in downloadZIP. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting network-reachable, unauthenticated impact. Wordfence’s references point to the affected plugin file and a later changeset in the WordPress plugin repository, indicating the issue was addressed in source control. The described impact is constrained to the WordPress uploads base directory, but the ability to delete files without authentication is still operationally significant.
Defensive priority
High
Recommended defensive actions
- Upgrade Kirki to a version newer than 6.0.6 from the official plugin distribution channel as soon as a fixed release is available.
- If you cannot confirm a safe version, temporarily disable or remove the plugin until you can verify remediation.
- Review WordPress uploads-related file integrity and recent deletion activity for unexpected changes.
- Validate that plugin update and file permissions controls are in place so unauthenticated requests cannot reach file-handling logic.
- Track the official WordPress plugin repository and the Wordfence advisory for the remediation details and any follow-up notices.
Evidence notes
All claims here are limited to the supplied corpus and official links. The NVD record cites Wordfence as the source of the vulnerability details, including CWE-23, the affected file reference in plugins.trac.wordpress.org, and a repository changeset. The provided CVSS vector supports a network-exploitable, unauthenticated condition. Vendor attribution is uncertain in the supplied metadata, so the debrief treats Kirki as the affected product and WordPress/plugin distribution as the relevant ecosystem.
Official resources
Publicly disclosed on 2026-05-19 based on the supplied CVE published timestamp.