Kirki WordPress Plugin Vulnerability

Kirki WordPress Plugin Vulnerability

Kirki WordPress Plugin Vulnerability

Reliable Penguin has reviewed managed WordPress servers for a recently disclosed vulnerability in the Kirki WordPress plugin.

Summary

Wordfence published an advisory for a critical unauthenticated privilege escalation vulnerability in the Kirki WordPress plugin. The issue affects Kirki versions 6.0.0 through 6.0.6 and is patched in version 6.0.7. Wordfence assigned the vulnerability a CVSS score of 9.8, which is considered critical. The vulnerability can allow an unauthenticated attacker to take over user accounts, including administrator accounts, by abusing the plugin’s password reset functionality.

Reliable Penguin Response

Reliable Penguin used our internal RP Anvil system to review managed servers for WordPress installations using vulnerable Kirki plugin versions.

As part of this review, RP Anvil scanned managed systems for Kirki plugin installations and checked installed versions against the vulnerable range identified in the advisory.

At this time:

  • Managed servers have been reviewed.

  • Clients with vulnerable WordPress installations have been notified directly.

  • No client action is required at this point for Reliable Penguin managed systems unless we have contacted you directly.

What Clients Should Do

For Reliable Penguin managed systems, no action is required unless you have received a direct notification from us.

For WordPress sites not managed by Reliable Penguin, site owners should review their installations and update Kirki to version 6.0.7 or newer. Wordfence recommends updating as soon as possible due to the critical nature of this vulnerability.

Additional Resources

Questions

If you have questions about this vulnerability or your managed WordPress environment, please contact Reliable Penguin support.

    • Related Articles

    • Advanced Custom Fields: Extended WordPress Plugin Vulnerability

      Reliable Penguin has reviewed managed WordPress servers for a recently disclosed vulnerability in the Advanced Custom Fields: Extended WordPress plugin, also commonly referred to as ACF Extended or ACFE. Summary Wordfence published an advisory for a ...

    • HTTP/2 Bomb DoS Vulnerability: CVE-2026-49975

      Posted: June 3, 2026 Category: Security Advisory Severity: High for public HTTP/2 endpoints Reliable Penguin is aware of public reports regarding CVE-2026-49975, also referred to as the HTTP/2 Bomb vulnerability. This issue may allow a remote ...