Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12472

CVE-2026-12472: Kirki WordPress Auth Bypass Vulnerability

CVE-2026-12472 is an authorization bypass flaw in Kirki WordPress plugin that lets unauthenticated attackers send phishing emails with legitimate password-reset links. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-12472 Overview

CVE-2026-12472 is an authorization bypass vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress. The flaw affects all versions up to and including 6.0.11. The plugin fails to verify that a user is authorized to perform an email-sending action exposed by its component library form handler. Unauthenticated attackers can send HTML-injected emails to any registered user through the site's own mail server. Because the messages originate from the legitimate WordPress instance, they inherit its Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) reputation. The vulnerability is tracked under [CWE-862] Missing Authorization.

Critical Impact

Attackers can send phishing emails from the target WordPress site containing a genuine password-reset URL for a targeted user, abusing SPF/DKIM trust to bypass mail filtering.

Affected Products

  • Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress
  • All versions up to and including 6.0.11
  • WordPress sites running the vulnerable plugin with any registered users

Discovery Timeline

  • 2026-07-02 - CVE-2026-12472 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-12472

Vulnerability Analysis

The vulnerability stems from missing authorization checks in the plugin's CompLibFormHandler.php controller. The handler processes an email-sending action but does not confirm that the caller is authenticated or authorized to invoke it. As a result, unauthenticated network requests can reach the underlying wp_mail() call. Attackers can specify both the recipient (any registered user) and the message content.

The handler applies sanitize_text_field() to the attacker-controlled emailSubject parameter, which strips tags but preserves attacker-supplied text. More critically, emailBody items of type text are concatenated raw into the HTML body without escaping, allowing arbitrary HTML injection into the message. Items of type chip can embed the genuine WordPress password-reset link generated for the targeted account, giving the phishing email a valid, working credential-reset workflow.

Root Cause

The root cause is a missing capability or nonce check on the email-sending endpoint in CompLibFormHandler.php (see references at lines 49, 342, and 441). The ElementGenerator.php component (line 219) constructs HTML from the raw emailBody array. Together, these produce an authorization bypass combined with HTML injection into outbound mail.

Attack Vector

Exploitation occurs over the network without authentication or user interaction on the WordPress host. The attacker submits a crafted request to the exposed handler with a target registered user, an arbitrary subject, and an emailBody array containing HTML text items and a chip item that triggers generation of a real password-reset URL. The victim receives an email from the legitimate site domain, signed by the site's DKIM key, containing attacker-authored HTML and a valid reset link. Full technical details are available in the Wordfence Vulnerability Analysis and the WordPress Kirki Code Review.

Detection Methods for CVE-2026-12472

Indicators of Compromise

  • Unauthenticated POST requests targeting the Kirki ComponentLibrary form handler endpoint from unexpected source IPs.
  • Outbound emails from the WordPress site containing password-reset URLs sent to users who did not initiate a reset.
  • User reports of unexpected password-reset or notification emails originating from the site's legitimate mail domain.
  • Web server access logs showing repeated requests referencing CompLibFormHandler parameters such as emailSubject, emailBody, or chip items.

Detection Strategies

  • Correlate WordPress wp_mail() invocations with the originating request context and flag mails triggered by unauthenticated sessions.
  • Alert on password-reset URLs being embedded in outbound mail bodies without a corresponding user-initiated reset event.
  • Compare installed Kirki plugin version against 6.0.11 and prior across managed WordPress fleets.

Monitoring Recommendations

  • Monitor mail queue and SMTP relay logs on the WordPress host for spikes in outbound messages to registered user addresses.
  • Track HTTP request rates and body sizes against the Kirki plugin endpoints and alert on anomalous unauthenticated traffic.
  • Review WordPress audit logs for password-reset URL generation events not tied to a legitimate reset request.

How to Mitigate CVE-2026-12472

Immediate Actions Required

  • Update the Kirki plugin to a version later than 6.0.11 on all WordPress installations.
  • If a patched version is unavailable in your environment, deactivate the Kirki plugin until it can be updated.
  • Audit recent outbound mail from affected sites and notify users who may have received unsolicited password-reset messages.
  • Invalidate any password-reset tokens issued during the exposure window and force affected accounts to re-authenticate.

Patch Information

A fix was committed to the Kirki plugin repository. Review the WordPress Kirki Changeset for the specific code changes that add authorization checks and sanitize email body content. Administrators should upgrade to the fixed release through the WordPress plugin manager.

Workarounds

  • Restrict access to the Kirki ComponentLibrary form handler endpoint at the web server or WAF layer for unauthenticated requests.
  • Temporarily disable the Kirki plugin on production sites until the update is applied.
  • Configure outbound mail filtering to inspect and rate-limit password-reset messages generated by the WordPress instance.
bash
# Configuration example: disable the Kirki plugin via WP-CLI until patched
wp plugin deactivate kirki

# Optional: block unauthenticated access to the vulnerable handler at the web server
# Nginx snippet
location ~* /wp-content/plugins/kirki/ComponentLibrary/ {
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.