ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-8073 in Kirki WordPress Plugin Enables Unauthenticated File Read and Deletion

A short review of CVE-2026-8073, a high severity path traversal vulnerability in the Kirki WordPress plugin that allows unauthenticated attackers to read and delete files within the uploads directory. Over 500,000 active installations are affected.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Brief Summary: CVE-2026-8073 in Kirki WordPress Plugin Enables Unauthenticated File Read and Deletion
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing authorization check in a popular WordPress page builder plugin means that any unauthenticated visitor can read and delete files from the site's uploads directory using nothing more than a crafted GET request. With over 500,000 active installations, CVE-2026-8073 in the Kirki plugin represents a significant exposure across the WordPress ecosystem.

Kirki, developed by Themeum, is a freeform page builder, website builder, and advanced theme customizer for WordPress. It allows users to design websites visually without writing code. Its half a million active installations place it among the more widely deployed builder plugins in the WordPress plugin directory.

Technical Information

Vulnerability Classification

CVE-2026-8073 is classified under CWE-23 (Relative Path Traversal). The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, resulting in a score of 7.5 (High). The vector reflects the fact that exploitation requires no privileges, no user interaction, and is accessible over the network with low attack complexity. The confidentiality impact is rated High, while integrity and availability impacts are rated None in the CVSS scoring, though the vulnerability description confirms that file deletion is also possible.

Root Cause

The vulnerability resides in the downloadZIP function within the API.php file. Two distinct flaws combine to create the exploitable condition:

  1. Missing capability check: The endpoint processes incoming GET requests without verifying the caller's authorization level. There is no WordPress capability check (such as current_user_can()) gating access to the function. This means any unauthenticated visitor to the site can invoke the endpoint.

  2. Insufficient file path validation: The file name parameter passed to the function is not properly sanitized. The code does not apply the basename() function or equivalent path normalization, and it does not enforce a strict file extension check. This allows an attacker to supply relative path traversal sequences in the file name parameter to reach files outside the intended directory scope, though the traversal is limited to the WordPress uploads base directory.

Attack Flow

Based on the available source materials, exploitation follows this sequence:

  1. The attacker identifies a WordPress site running Kirki plugin version 6.0.6 or earlier.
  2. The attacker crafts a GET request targeting the downloadZIP endpoint exposed by the plugin's API.
  3. The request includes a manipulated file name parameter containing path traversal sequences (e.g., ../ patterns) to reference a target file within the WordPress uploads base directory.
  4. Because no capability check exists, the server processes the request regardless of authentication status.
  5. Because no input sanitization or extension validation is applied, the function resolves the manipulated path and either serves the file contents to the attacker (file read) or deletes the file (file deletion).

The scope of the vulnerability is limited to the WordPress uploads base directory (wp-content/uploads/ by default). While this boundary prevents full filesystem traversal, the uploads directory commonly contains media files, plugin generated exports, backup archives, and other sensitive data.

What the Patch Changes

The changeset visible in the WordPress plugin repository (changeset 3535640) reveals that version 6.0.7 introduces three specific protections in API.php:

  1. A capability check using HelperFunctions to ensure only authorized users with full access can trigger the endpoint.
  2. Input sanitization on the file name parameter using text sanitization and the basename() function, which strips directory traversal sequences.
  3. A strict validation check ensuring the file extension is exactly zip before processing the file path.

These three changes together close both the authorization bypass and the path traversal vector.

Affected Systems and Versions

All versions of the Kirki Freeform Page Builder, Website Builder and Customizer plugin from version 0 through version 6.0.6 (inclusive) are vulnerable. Version 6.0.7 contains the fix.

The plugin is distributed through the official WordPress plugin repository and has over 500,000 active installations. Any WordPress site running a vulnerable version of the plugin is exposed, regardless of other security configurations, because the vulnerability requires no authentication to exploit.

Vendor Security History

Themeum has demonstrated active maintenance of the Kirki plugin. The changelog indicates that version 6.0.6, the release immediately preceding the patched version, also addressed a separate security vulnerability related to media search functionality. This suggests an ongoing pattern of security remediation, though the provided intelligence does not detail a broader historical security track record for the vendor.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization