CVE-2026-8096: Kirki WordPress Plugin Auth Bypass Flaw

CVE-2026-8096 Overview

CVE-2026-8096 is an authorization bypass vulnerability in the Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress. The flaw affects all versions up to and including 6.0.6. The plugin fails to verify whether a user is authorized to perform specific actions in its AJAX handlers. Authenticated attackers with subscriber-level access or above can enumerate all Kirki frontend forms and read stored visitor submission data. Exposed information includes contact details, messages, and any other visitor-provided data submitted through site forms. The issue is tracked under CWE-862: Missing Authorization.

Critical Impact

Authenticated users with low-privileged subscriber accounts can read confidential visitor submissions collected by every Kirki form on the site.

Affected Products

• Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress
• All versions up to and including 6.0.6
• WordPress sites permitting subscriber-level registration with Kirki installed

Discovery Timeline

• 2026-05-19 - CVE-2026-8096 published to NVD
• 2026-05-19 - Last updated in NVD database

Technical Details for CVE-2026-8096

Vulnerability Analysis

The Kirki plugin exposes AJAX endpoints that handle frontend form retrieval and submission data access. These endpoints do not enforce capability checks before returning sensitive data. Any authenticated session, including the lowest-privileged subscriber role, can invoke the affected handlers. The plugin returns form configurations and stored submission records without verifying that the requester has permission to view them. This converts data intended for site administrators into information readable by every registered user. The vulnerability is exploitable over the network and requires only low privileges with no user interaction.

Root Cause

The root cause is missing authorization logic in the plugin's AJAX action handlers, classified as CWE-862: Missing Authorization. The affected code path in includes/Ajax.php processes requests without calling a capability check such as current_user_can() to validate the caller's role. The vendor's changeset 3535640 introduces the authorization gate that was previously absent. Reviewers can inspect the pre-patch logic in the Kirki 6.0.4 Ajax.php source.

Attack Vector

An attacker registers a subscriber account on a target WordPress site or compromises any existing low-privileged account. The attacker authenticates and obtains a valid WordPress nonce. The attacker then issues AJAX POST requests to the vulnerable Kirki action, iterating across form identifiers to enumerate every frontend form and its stored submissions. The response contains raw visitor data harvested from contact forms, including names, email addresses, messages, and any custom fields configured by the site owner. No administrative interface interaction or social engineering is required.

No public proof-of-concept code has been released. The mechanism is documented in the Wordfence vulnerability report.

Detection Methods for CVE-2026-8096

Indicators of Compromise

• Unexpected admin-ajax.php POST requests from low-privileged user sessions targeting Kirki actions
• High volumes of AJAX responses containing form submission payloads delivered to non-administrator accounts
• Subscriber accounts created shortly before bursts of AJAX traffic to Kirki endpoints
• Outbound exfiltration of structured contact data correlated with WordPress session cookies for non-admin users

Detection Strategies

• Review WordPress access logs for admin-ajax.php requests referencing Kirki actions originating from subscriber or contributor sessions
• Correlate user role with AJAX response size, flagging cases where low-privilege sessions receive large JSON responses
• Inspect plugin version inventory across hosted WordPress sites and flag installations at or below version 6.0.6

Monitoring Recommendations

• Enable verbose logging on admin-ajax.php and forward events to a central SIEM for role-based analysis
• Monitor new user registrations and pair them with subsequent AJAX activity within the first session
• Alert on repeated AJAX calls from a single authenticated session that iterate through sequential form identifiers

How to Mitigate CVE-2026-8096

Immediate Actions Required

• Update the Kirki plugin to the version released in changeset 3535640, which is the first release after 6.0.6
• Audit existing WordPress user accounts and remove unused or suspicious subscriber-level accounts
• Disable open user registration on sites that do not require it by unchecking Settings → General → Membership
• Review stored Kirki form submissions and notify affected visitors if exposure is confirmed

Patch Information

The vendor addressed the missing authorization check in the commit recorded as changeset 3535640. The fix adds capability verification to the affected AJAX handler in includes/Ajax.php, preventing non-authorized roles from invoking the form data retrieval logic. Site operators must upgrade to the patched release; configuration changes alone do not remediate the flaw. Additional context is available in the Wordfence advisory.

Workarounds

• Deactivate the Kirki plugin until the patched version can be installed if immediate upgrade is not possible
• Restrict access to wp-admin/admin-ajax.php for unauthenticated and low-privileged sessions using a web application firewall rule that blocks the affected Kirki action
• Temporarily set WordPress membership settings to disallow new user registrations to reduce the attacker pool

# Configuration example: disable open registration and update the plugin via WP-CLI
wp option update users_can_register 0
wp plugin update kirki
wp plugin list --name=kirki --fields=name,status,version