Introduction
A missing authorization check in a popular WordPress page builder plugin means that any unauthenticated visitor can read and delete files from the site's uploads directory using nothing more than a crafted GET request. With over 500,000 active installations, CVE-2026-8073 in the Kirki plugin represents a significant exposure across the WordPress ecosystem.
Kirki, developed by Themeum, is a freeform page builder, website builder, and advanced theme customizer for WordPress. It allows users to design websites visually without writing code. Its half a million active installations place it among the more widely deployed builder plugins in the WordPress plugin directory.
Technical Information
Vulnerability Classification
CVE-2026-8073 is classified under CWE-23 (Relative Path Traversal). The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, resulting in a score of 7.5 (High). The vector reflects the fact that exploitation requires no privileges, no user interaction, and is accessible over the network with low attack complexity. The confidentiality impact is rated High, while integrity and availability impacts are rated None in the CVSS scoring, though the vulnerability description confirms that file deletion is also possible.
Root Cause
The vulnerability resides in the downloadZIP function within the API.php file. Two distinct flaws combine to create the exploitable condition:
-
Missing capability check: The endpoint processes incoming GET requests without verifying the caller's authorization level. There is no WordPress capability check (such as
current_user_can()) gating access to the function. This means any unauthenticated visitor to the site can invoke the endpoint. -
Insufficient file path validation: The file name parameter passed to the function is not properly sanitized. The code does not apply the
basename()function or equivalent path normalization, and it does not enforce a strict file extension check. This allows an attacker to supply relative path traversal sequences in the file name parameter to reach files outside the intended directory scope, though the traversal is limited to the WordPress uploads base directory.
Attack Flow
Based on the available source materials, exploitation follows this sequence:
- The attacker identifies a WordPress site running Kirki plugin version 6.0.6 or earlier.
- The attacker crafts a GET request targeting the
downloadZIPendpoint exposed by the plugin's API. - The request includes a manipulated file name parameter containing path traversal sequences (e.g.,
../patterns) to reference a target file within the WordPress uploads base directory. - Because no capability check exists, the server processes the request regardless of authentication status.
- Because no input sanitization or extension validation is applied, the function resolves the manipulated path and either serves the file contents to the attacker (file read) or deletes the file (file deletion).
The scope of the vulnerability is limited to the WordPress uploads base directory (wp-content/uploads/ by default). While this boundary prevents full filesystem traversal, the uploads directory commonly contains media files, plugin generated exports, backup archives, and other sensitive data.
What the Patch Changes
The changeset visible in the WordPress plugin repository (changeset 3535640) reveals that version 6.0.7 introduces three specific protections in API.php:
- A capability check using
HelperFunctionsto ensure only authorized users with full access can trigger the endpoint. - Input sanitization on the file name parameter using text sanitization and the
basename()function, which strips directory traversal sequences. - A strict validation check ensuring the file extension is exactly
zipbefore processing the file path.
These three changes together close both the authorization bypass and the path traversal vector.
Affected Systems and Versions
All versions of the Kirki Freeform Page Builder, Website Builder and Customizer plugin from version 0 through version 6.0.6 (inclusive) are vulnerable. Version 6.0.7 contains the fix.
The plugin is distributed through the official WordPress plugin repository and has over 500,000 active installations. Any WordPress site running a vulnerable version of the plugin is exposed, regardless of other security configurations, because the vulnerability requires no authentication to exploit.
Vendor Security History
Themeum has demonstrated active maintenance of the Kirki plugin. The changelog indicates that version 6.0.6, the release immediately preceding the patched version, also addressed a separate security vulnerability related to media search functionality. This suggests an ongoing pattern of security remediation, though the provided intelligence does not detail a broader historical security track record for the vendor.



