PatchSiren cyber security CVE debrief
CVE-2026-8096 themeum CVE debrief
CVE-2026-8096 affects the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin in versions up to and including 6.0.6. The issue is an authorization bypass caused by insufficient verification that a user is allowed to perform the action. As disclosed, authenticated attackers with subscriber-level access and above can view Kirki frontend forms and read stored visitor submission data, including contact details, messages, and other user-provided form content.
- Vendor
- themeum
- Product
- Kirki – Freeform Page Builder, Website Builder & Customizer
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-19
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-19
Who should care
WordPress site owners, administrators, and security teams running the Kirki plugin, especially on sites that collect visitor form submissions or allow subscriber-level accounts. Privacy and compliance teams should also care because the exposed data may contain personal or sensitive contact information.
Technical summary
The supplied record describes a broken authorization check in the plugin’s frontend form handling. NVD lists the weakness as CWE-862 and the CVSS vector as CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which aligns with a network-reachable issue requiring low privileges but no user interaction. The impact is confidentiality loss: an authenticated attacker with subscriber-level privileges can access forms and stored submission data they should not be able to see.
Defensive priority
Medium. The score is 6.5 and the primary impact is confidentiality exposure of visitor-submitted data. Prioritize this if the plugin is installed on a public site or if collected submissions may include personal, business, or regulated information.
Recommended defensive actions
- Inventory WordPress sites for the Kirki plugin and confirm whether any instance is running version 6.0.6 or earlier.
- Apply the vendor patch or a fixed release as soon as it is available through the WordPress plugin channel.
- If patching is not immediately possible, disable affected form features or remove the plugin from exposed sites until remediation is in place.
- Review subscriber and other low-privilege accounts for unnecessary access while the issue is being addressed.
- Audit stored Kirki form submissions for potentially exposed personal or sensitive data and handle any required notification or privacy response steps per policy.
- Monitor the official plugin changelog and the WordPress plugin repository changeset referenced in the advisory for remediation details.
Evidence notes
The CVE description and NVD metadata state that the issue affects Kirki versions up to and including 6.0.6 and that authenticated attackers with subscriber-level access and above can view frontend forms and stored visitor submissions. NVD also provides the CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, identifies CWE-862, and marks vulnStatus as Deferred. The supplied references point to the WordPress plugin source file, a WordPress Trac changeset, and a Wordfence advisory.
Official resources
Published 2026-05-19T19:16:51.743Z and modified 2026-05-19T21:00:47.093Z. The supplied timeline shows no KEV listing, and NVD marks the entry as Deferred.