Does Kirki Customizer Framework have any unpatched vulnerabilities?

No. All known vulnerabilities in Kirki Customizer Framework have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Kirki Customizer Framework compatible with WordPress 6.9.4?

According to WordPress.org data, Kirki Customizer Framework 5.2.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Kirki Customizer Framework compatible with PHP 7.4+?

Kirki Customizer Framework requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Kirki Customizer Framework updated?

Kirki Customizer Framework was last updated on Feb 17, 2026. Frequent updates are generally a positive security signal.

What is Kirki Customizer Framework's security score?

Kirki Customizer Framework has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Kirki Customizer Framework Security & Risk Analysis

wordpress.org/plugins/kirki

The Ultimate Customizer Framework for WordPress Theme Developers

500K active installs v5.2.2 PHP 7.4+ WP 5.3+ Updated Feb 17, 2026

customizeroptions-frameworkthemetoolkit

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Kirki Customizer Framework Safe to Use in 2026?

Generally Safe

Score 100/100

Kirki Customizer Framework has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

Kirki v5.2.2 presents a generally good security posture, adhering to several best practices. The absence of known CVEs and a strong reliance on prepared statements for SQL queries are positive indicators. Furthermore, the plugin demonstrates a high percentage of properly escaped output, mitigating common cross-site scripting (XSS) risks. The presence of nonce and capability checks on most entry points is also commendable.

However, a notable concern is the significant attack surface exposed through AJAX handlers. Specifically, 5 out of 7 AJAX handlers lack authentication checks. While no critical taint flows or dangerous functions were identified in the static analysis, the potential for unauthorized execution of code via these unprotected AJAX endpoints represents a significant risk. The plugin's history of zero vulnerabilities further reinforces its current stability, but the identified unprotected AJAX endpoints require immediate attention to maintain this strong security record.

In conclusion, Kirki v5.2.2 benefits from a solid foundation of secure coding practices. The plugin's clean vulnerability history and diligent use of prepared statements and output escaping are strengths. Nevertheless, the unprotected AJAX handlers introduce a considerable security gap that could be exploited. Addressing these unprotected entry points is crucial to prevent potential security incidents and ensure the plugin's continued security.

Key Concerns

Unprotected AJAX handlers

Vulnerabilities

None known

Kirki Customizer Framework Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Kirki Customizer Framework Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

103 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

94% escaped109 total outputs

Attack Surface

5 unprotected

Kirki Customizer Framework Attack Surface

Entry Points7

Unprotected5

AJAX Handlers 7

authwp_ajax_kirki_fonts_standard_all_getcustomizer\packages\modules\webfonts\src\Webfonts\Google.php:88

noprivwp_ajax_kirki_fonts_standard_all_getcustomizer\packages\modules\webfonts\src\Webfonts\Google.php:89

authwp_ajax_kirki_dismiss_discount_noticecustomizer\packages\settings\src\Notice.php:25

authwp_ajax_kirki_clear_font_cachecustomizer\packages\settings\src\SetupSettings.php:40

authwp_ajax_kirki_prepare_install_udbcustomizer\packages\settings\src\SetupSettings.php:41

authwp_ajax_kirki_fonts_google_all_getcustomizer\packages\utils\googlefonts\src\GoogleFonts.php:47

noprivwp_ajax_kirki_fonts_google_all_getcustomizer\packages\utils\googlefonts\src\GoogleFonts.php:48

WordPress Hooks 124

actioncustomize_registercustomizer\packages\compatibility\src\Aliases.php:152

filterkirki_configcustomizer\packages\compatibility\src\deprecated\filters.php:4

filterkirki_control_typescustomizer\packages\compatibility\src\deprecated\filters.php:8

filterkirki_section_typescustomizer\packages\compatibility\src\deprecated\filters.php:12

filterkirki_section_types_excludecustomizer\packages\compatibility\src\deprecated\filters.php:16

filterkirki_control_types_excludecustomizer\packages\compatibility\src\deprecated\filters.php:20

filterkirki_controlscustomizer\packages\compatibility\src\deprecated\filters.php:24

filterkirki_fieldscustomizer\packages\compatibility\src\deprecated\filters.php:28

filterkirki_modulescustomizer\packages\compatibility\src\deprecated\filters.php:32

filterkirki_panel_typescustomizer\packages\compatibility\src\deprecated\filters.php:36

filterkirki_setting_typescustomizer\packages\compatibility\src\deprecated\filters.php:40

filterkirki_variablecustomizer\packages\compatibility\src\deprecated\filters.php:44

filterkirki_values_get_valuecustomizer\packages\compatibility\src\deprecated\filters.php:48

actioninitcustomizer\packages\compatibility\src\deprecated\filters.php:52

filterkirki_enqueue_google_fontscustomizer\packages\compatibility\src\deprecated\filters.php:82

filterkirki_styles_arraycustomizer\packages\compatibility\src\deprecated\filters.php:86

filterkirki_dynamic_css_methodcustomizer\packages\compatibility\src\deprecated\filters.php:90

filterkirki_postmessage_scriptcustomizer\packages\compatibility\src\deprecated\filters.php:94

filterkirki_fonts_allcustomizer\packages\compatibility\src\deprecated\filters.php:98

filterkirki_fonts_standard_fontscustomizer\packages\compatibility\src\deprecated\filters.php:102

filterkirki_fonts_google_fontscustomizer\packages\compatibility\src\deprecated\filters.php:106

filterkirki_googlefonts_load_methodcustomizer\packages\compatibility\src\deprecated\filters.php:110

actionwp_loadedcustomizer\packages\compatibility\src\Init.php:43

filterkirki_control_typescustomizer\packages\compatibility\src\Init.php:44

actioncustomize_registercustomizer\packages\compatibility\src\Init.php:46

actionadmin_noticescustomizer\packages\compatibility\src\Init.php:48

actionadmin_initcustomizer\packages\compatibility\src\Init.php:49

actioncustomize_registercustomizer\packages\compatibility\src\Init.php:102

actioncustomize_registercustomizer\packages\compatibility\src\Init.php:103

actionafter_setup_themecustomizer\packages\compatibility\src\Modules.php:49

actionafter_setup_themecustomizer\packages\compatibility\src\Modules.php:50

actionplugins_loadedcustomizer\packages\controls\headline-divider\headline-divider.php:53

filterkirki_control_typescustomizer\packages\controls\headline-divider\src\Init.php:21

filterkirki_output_item_argscustomizer\packages\controls\image\src\Field\Image.php:56

filterkirki_output_control_classnamescustomizer\packages\controls\image\src\Field\Image.php:57

actionplugins_loadedcustomizer\packages\controls\input-slider\input-slider.php:53

filterkirki_control_typescustomizer\packages\controls\input-slider\src\Init.php:25

actionplugins_loadedcustomizer\packages\controls\margin-padding\margin-padding.php:53

actioncustomize_preview_initcustomizer\packages\controls\margin-padding\src\Field\Margin.php:58

filterkirki_output_control_classnamescustomizer\packages\controls\margin-padding\src\Field\Margin.php:59

filterkirki_control_typescustomizer\packages\controls\margin-padding\src\Init.php:21

actioncustomize_preview_initcustomizer\packages\controls\react-colorful\src\Field\ReactColorful.php:60

filterkirki_output_control_classnamescustomizer\packages\controls\react-colorful\src\Field\ReactColorful.php:61

actionplugins_loadedcustomizer\packages\controls\responsive\responsive.php:53

actioncustomize_registercustomizer\packages\controls\responsive\src\Init.php:34

filterkirki_control_typescustomizer\packages\controls\responsive\src\Init.php:35

filterkirki_field_exclude_initcustomizer\packages\controls\responsive\src\Init.php:37

actionkirki_field_custom_initcustomizer\packages\controls\responsive\src\Init.php:38

filterkirki_get_valuecustomizer\packages\controls\responsive\src\Init.php:44

filterpre_set_site_transient_update_pluginscustomizer\packages\controls\tabs\edd\EDD_SL_Plugin_Updater.php:73

filterplugins_apicustomizer\packages\controls\tabs\edd\EDD_SL_Plugin_Updater.php:74

actionafter_plugin_rowcustomizer\packages\controls\tabs\edd\EDD_SL_Plugin_Updater.php:75

actionadmin_initcustomizer\packages\controls\tabs\edd\EDD_SL_Plugin_Updater.php:76

filterkirki_control_typescustomizer\packages\controls\tabs\src\Init.php:23

filterkirki_field_add_control_argscustomizer\packages\controls\tabs\src\Init.php:24

actionkirki_section_initcustomizer\packages\controls\tabs\src\Init.php:25

actionplugins_loadedcustomizer\packages\controls\tabs\tabs.php:55

actioncustomize_preview_initcustomizer\packages\fields\background\src\Background.php:246

filterkirki_output_control_classnamescustomizer\packages\fields\background\src\Background.php:247

actionwp_loadedcustomizer\packages\fields\base\src\Field.php:90

actionwpcustomizer\packages\fields\base\src\Field.php:97

actioncustomize_registercustomizer\packages\fields\base\src\Field.php:107

actioncustomize_registercustomizer\packages\fields\base\src\Field.php:110

actioncustomize_registercustomizer\packages\fields\base\src\Field.php:113

filterkirki_field_add_setting_argscustomizer\packages\fields\base\src\Field.php:116

filterkirki_field_add_control_argscustomizer\packages\fields\base\src\Field.php:117

actioncustomize_controls_enqueue_scriptscustomizer\packages\fields\dimensions\src\Dimensions.php:43

actioncustomize_preview_initcustomizer\packages\fields\dimensions\src\Dimensions.php:44

filterkirki_output_control_classnamescustomizer\packages\fields\dimensions\src\Dimensions.php:45

filterkirki_output_control_classnamescustomizer\packages\fields\multicolor\src\Field\Multicolor.php:41

actioncustomize_controls_enqueue_scriptscustomizer\packages\fields\typography\src\Field\Typography.php:209

actioncustomize_preview_initcustomizer\packages\fields\typography\src\Field\Typography.php:210

filterkirki_output_control_classnamescustomizer\packages\fields\typography\src\Field\Typography.php:211

actionplugins_loadedcustomizer\packages\index.php:77

actionkirki_field_initcustomizer\packages\modules\css\src\CSS.php:82

actioninitcustomizer\packages\modules\css\src\CSS.php:83

actionwpcustomizer\packages\modules\css\src\CSS.php:96

actionwp_enqueue_scriptscustomizer\packages\modules\css\src\CSS.php:106

actionwp_headcustomizer\packages\modules\css\src\CSS.php:108

actionadmin_initcustomizer\packages\modules\editor-styles\src\Editor_Styles.php:80

actionenqueue_block_editor_assetscustomizer\packages\modules\editor-styles\src\Editor_Styles.php:107

actionafter_setup_themecustomizer\packages\modules\editor-styles\src\Editor_Styles.php:108

actioncustomize_controls_enqueue_scriptscustomizer\packages\modules\field-dependencies\src\Field_Dependencies.php:48

filterkirki_field_add_control_argscustomizer\packages\modules\field-dependencies\src\Field_Dependencies.php:49

actioncustomize_registercustomizer\packages\modules\panels\src\Panel.php:63

actioncustomize_controls_enqueue_scriptscustomizer\packages\modules\panels\src\Panel.php:65

actioncustomize_registercustomizer\packages\modules\panels\src\Panel.php:112

actioncustomize_preview_initcustomizer\packages\modules\postmessage\src\Postmessage.php:37

actionkirki_field_add_setting_argscustomizer\packages\modules\postmessage\src\Postmessage.php:38

actioncustomize_controls_print_footer_scriptscustomizer\packages\modules\preset\src\Preset.php:38

filterkirki_field_add_control_argscustomizer\packages\modules\preset\src\Preset.php:39

actioncustomize_controls_enqueue_scriptscustomizer\packages\modules\section-icons\src\Section_Icons.php:56

actionkirki_panel_addedcustomizer\packages\modules\section-icons\src\Section_Icons.php:57

actionkirki_section_addedcustomizer\packages\modules\section-icons\src\Section_Icons.php:58

actioncustomize_registercustomizer\packages\modules\sections\src\Section.php:65

actioncustomize_registercustomizer\packages\modules\sections\src\Section.php:68

actioncustomize_controls_enqueue_scriptscustomizer\packages\modules\sections\src\Section.php:70

actioncustomize_controls_print_footer_scriptscustomizer\packages\modules\sections\src\Section.php:71

actioncustomize_registercustomizer\packages\modules\sections\src\Section.php:142

filterkirki_field_add_setting_argscustomizer\packages\modules\selective-refresh\src\Selective_Refresh.php:35

actioncustomize_controls_print_footer_scriptscustomizer\packages\modules\tooltips\src\Tooltips.php:41

filterkirki_field_add_control_argscustomizer\packages\modules\tooltips\src\Tooltips.php:42

actionwp_headcustomizer\packages\modules\webfonts\src\Webfonts\Async.php:82

actionwp_headcustomizer\packages\modules\webfonts\src\Webfonts\Async.php:83

actionadmin_enqueue_scriptscustomizer\packages\modules\webfonts\src\Webfonts\Async.php:86

actionadmin_enqueue_scriptscustomizer\packages\modules\webfonts\src\Webfonts\Async.php:87

actionwpcustomizer\packages\modules\webfonts\src\Webfonts\Embed.php:72

actionkirki_dynamic_csscustomizer\packages\modules\webfonts\src\Webfonts\Embed.php:85

actionkirki_field_initcustomizer\packages\modules\webfonts\src\Webfonts.php:51

actionwp_loadedcustomizer\packages\modules\webfonts\src\Webfonts.php:52

actionadmin_noticescustomizer\packages\settings\src\Notice.php:23

actionadmin_enqueue_scriptscustomizer\packages\settings\src\Notice.php:24

actioninitcustomizer\packages\settings\src\SetupSettings.php:22

actionadmin_menucustomizer\packages\settings\src\SetupSettings.php:35

actionadmin_enqueue_scriptscustomizer\packages\settings\src\SetupSettings.php:36

actionadmin_enqueue_scriptscustomizer\packages\settings\src\SetupSettings.php:37

filteradmin_body_classcustomizer\packages\settings\src\SetupSettings.php:38

filterkirki_field_add_setting_argscustomizer\packages\utils\data-option\src\Option.php:27

filterkirki_field_add_control_argscustomizer\packages\utils\data-option\src\Option.php:28

filterkirki_get_valuecustomizer\packages\utils\data-option\src\Option.php:29

actioninitcustomizer\packages\utils\l10n\src\L10n.php:62

filteroverride_load_textdomaincustomizer\packages\utils\l10n\src\L10n.php:66

filterhttp_request_argscustomizer\packages\utils\src\Util.php:37

actionkirki_field_initcustomizer\packages\utils\src\Util.php:38

Maintenance & Trust

Kirki Customizer Framework Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 17, 2026

PHP min version7.4

Downloads12.1M

Community Trust

Rating90/100

Number of ratings78

Active installs500K

Alternatives

Kirki Customizer Framework Alternatives

Customize Plus

customize-plus

100

Enhance and extend the WordPress Customize in your themes.

0 No CVEs

Redux Framework

redux-framework

Redux is a simple, truly extensible, and fully responsive options framework for WordPress themes and plugins. It ships with an integrated demo.

1.0M 6 CVEs

Advanced Import: One-Click Demo Import for WordPress

advanced-import

Advanced Import simplifies importing demo data for WordPress sites, enabling users to import posts, pages, media, widgets, customizer settings, and Gu …

90K 1 CVE

Import / Export Customizer Settings

astra-import-export

100

Astra theme customizer offers several settings for header/footer layout, sidebar and blog designs, colors, backgrounds, typography and much more.

50K 1 CVE

Astra Customizer Reset

reset-astra-customizer

100

This plugin helps to reset customizer settings for the Astra theme in a single click.

40K No CVEs

Developer Profile

Kirki Customizer Framework Developer Profile

Themeum

14 plugins · 675K total installs

trust score

Avg Security Score

87/100

Avg Patch Time

269 days

View full developer profile

Detection Fingerprints

How We Detect Kirki Customizer Framework

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/kirki/customizer/assets/js/kirki.js/wp-content/plugins/kirki/customizer/assets/css/kirki-controls.css/wp-content/plugins/kirki/customizer/assets/css/kirki-frontend.css/wp-content/plugins/kirki/customizer/assets/js/import-export.js/wp-content/plugins/kirki/customizer/assets/js/remote-images.js

Script Paths

/wp-content/plugins/kirki/customizer/assets/js/kirki.js/wp-content/plugins/kirki/customizer/assets/js/import-export.js/wp-content/plugins/kirki/customizer/assets/js/remote-images.js

Version Parameters

/wp-content/plugins/kirki/customizer/assets/js/kirki.js?ver=/wp-content/plugins/kirki/customizer/assets/css/kirki-controls.css?ver=/wp-content/plugins/kirki/customizer/assets/css/kirki-frontend.css?ver=/wp-content/plugins/kirki/customizer/assets/js/import-export.js?ver=/wp-content/plugins/kirki/customizer/assets/js/remote-images.js?ver=

HTML / DOM Fingerprints

CSS Classes

kirki-controls-wrapkirki-sidebar-sectionkirki-color-pickerkirki-sliderkirki-responsive-previewkirki-responsive-devicekirki-tabs-wrapkirki-tab

Data Attributes

data-kirki-controldata-kirki-iddata-settingdata-choices

JS Globals

kirkiKirkiCustomizer

FAQ