Hundreds of thousands of websites are potentially exposed to attacks exploiting two vulnerabilities in the Kirki and Burst Statistics WordPress plugins, Defiant warns.
Kirki provides website and freeform page creation, and WordPress customizer enhancements. The plugin’s versions 6.0.0 to 6.0.6 are affected by an unauthenticated privilege escalation and account takeover bug.
Tracked as CVE-2026-8206 (CVSS score of 9.8), the issue impacted the plugin’s password reset flow, which allowed attackers to provide a username and an arbitrary email address and have a password reset key sent to that address.
“This means an unauthenticated attacker can send a request specifying a high-privileged username together with an attacker-controlled email address and receive a valid password reset link for the targeted account,” Defiant explains.
The attacker can then use the reset link to take control of the targeted account. By resetting the password for an administrative account, the attacker can take over the entire website.
