Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-exploitable with no auth (PR:N, AV:N) per unauthenticated IDOR description; C:N because no data disclosure is indicated; I:L and A:L for bounded object manipulation impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.
AnalysisAI
Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No authentication is required (PR:N per CVSS vector) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 Medium score is supported by a straightforward vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP POST or GET request to a WordPress site running Kirki <= 6.0.11, supplying a manipulated object identifier (such as another user's customizer setting ID or option reference) in the request parameters. Because Kirki does not verify that the requestor owns or has rights to the referenced object, the server processes the request and modifies or disrupts the target data. … |
| Remediation | Update the Kirki plugin to the version that follows 6.0.11 as identified in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-insecure-direct-object-references-idor-vulnerability - the exact patched version number is not confirmed from available data and should be verified before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to a
Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets r
Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows r
Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attack
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41289
GHSA-vj33-3xg6-g6ww