CVE-2026-8096 affects the Kirki – Freeform Page Builder, Website Builder & Customizer WordPress plugin in versions up to and including 6.0.6. The issue is an authorization bypass caused by insufficient verification that a user is allowed to perform the action. As disclosed, authenticated attackers with subscriber-level access and above can view Kirki frontend forms and read stored visitor submission data, [truncated]
CVE-2026-8073 is a high-severity flaw in the Kirki WordPress plugin that can let an unauthenticated attacker trigger arbitrary file deletion, with the impact limited to paths under the WordPress uploads base directory. The issue is tied to insufficient file path validation and a missing capability check in the downloadZIP function. NVD lists the vulnerability as deferred, while Wordfence references the af [truncated]
