CVE-2026-8073 Overview
CVE-2026-8073 affects the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress. The flaw exists in the downloadZIP function, which lacks proper file path validation and a capability check. Unauthenticated attackers can read and delete arbitrary files within the WordPress uploads base directory by sending crafted requests to the vulnerable endpoint.
The vulnerability impacts all plugin versions up to and including 6.0.6. Deletion of critical files such as wp-config.php can lead to site takeover scenarios when the file resides in an accessible location, though this issue is scoped to the uploads directory. The vulnerability is classified as a path traversal weakness [CWE-23].
Critical Impact
Unauthenticated attackers can delete arbitrary files inside the WordPress uploads base directory, enabling data destruction and potential disruption of site functionality.
Affected Products
- Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress
- All versions up to and including 6.0.6
- WordPress sites with the vulnerable plugin installed and activated
Discovery Timeline
- 2026-05-19 - CVE-2026-8073 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8073
Vulnerability Analysis
The Kirki plugin exposes a downloadZIP function defined in includes/API.php. This function processes user-supplied input that references files on disk. The implementation fails to validate the file path against a trusted allowlist and omits a capability check that would restrict the operation to authorized administrators.
As a result, an attacker can supply traversal sequences or arbitrary filenames and trigger file read and deletion operations. The scope is limited to the WordPress uploads base directory, but this still includes user-uploaded media, plugin-managed assets, and any sensitive content stored there.
Root Cause
The root cause is twofold. First, the downloadZIP function does not sanitize or canonicalize the supplied path before invoking file system operations, allowing path traversal [CWE-23]. Second, the endpoint lacks an authentication or authorization check, so any unauthenticated network user can invoke it. Together these gaps permit arbitrary file deletion within the uploads directory boundary.
Attack Vector
The vulnerability is exploited over the network with no authentication or user interaction. An attacker sends an HTTP request to the WordPress site that invokes the vulnerable downloadZIP handler. The request specifies a target file path within the uploads directory or uses traversal characters to reach files inside that scope. The plugin then reads and deletes the targeted file.
The vulnerability mechanism is documented in the Kirki plugin source. See the WordPress Kirki API Source and the Wordfence Vulnerability Report for technical details.
Detection Methods for CVE-2026-8073
Indicators of Compromise
- HTTP requests to WordPress endpoints invoking the Kirki downloadZIP action with file path parameters
- Unexpected deletion or absence of files inside the wp-content/uploads directory
- Web server access logs containing path traversal sequences such as ../ directed at Kirki plugin endpoints
- Requests from unauthenticated sessions targeting Kirki AJAX or REST handlers
Detection Strategies
- Monitor WordPress access logs for requests referencing Kirki API endpoints combined with file parameters
- Alert on unauthenticated requests that result in file system write or delete operations under wp-content/uploads
- Deploy file integrity monitoring across the WordPress uploads directory to flag unexpected deletions
- Correlate plugin version inventory with vulnerable Kirki versions 6.0.6 and earlier
Monitoring Recommendations
- Enable verbose logging on the web server and capture full query strings for Kirki plugin URLs
- Track file system events on the WordPress installation, particularly the uploads directory, using auditd or equivalent tooling
- Review WordPress installations for the Kirki plugin and confirm the installed version against the patched release
How to Mitigate CVE-2026-8073
Immediate Actions Required
- Update the Kirki plugin to a version newer than 6.0.6 that includes the fix referenced in the WordPress Kirki API ChangeLog
- Deactivate and remove the Kirki plugin if an immediate update is not feasible
- Back up the WordPress installation, including the uploads directory and database, before applying changes
- Audit the uploads directory for missing or unexpectedly deleted files
Patch Information
The plugin maintainers committed a fix in changeset 3535640, which updates includes/API.php to validate file paths and enforce a capability check on the downloadZIP function. Site administrators should upgrade through the WordPress plugin updater to receive the patched release.
Workarounds
- Restrict access to the WordPress site at the web application firewall (WAF) layer and block requests invoking the Kirki downloadZIP action
- Apply HTTP rules that reject requests containing path traversal patterns targeting Kirki endpoints
- Limit file system permissions on the WordPress uploads directory to reduce the impact of unauthorized deletions
# Example WAF rule pattern to block requests targeting the vulnerable endpoint
# Adapt to your WAF syntax (ModSecurity example)
SecRule REQUEST_URI "@contains kirki" \
"id:1008073,phase:1,deny,status:403,\
msg:'Block Kirki downloadZIP exploitation attempt CVE-2026-8073',\
chain"
SecRule ARGS "@rx (\.\./|%2e%2e%2f)" "t:lowercase,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
