Skip to main content

Kirki CVE-2026-57680

| EUVDEUVD-2026-41289 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-02 Patchstack GHSA-vj33-3xg6-g6ww
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
vuln.today AI
6.5 MEDIUM

Network-exploitable with no auth (PR:N, AV:N) per unauthenticated IDOR description; C:N because no data disclosure is indicated; I:L and A:L for bounded object manipulation impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:34 vuln.today

DescriptionCVE.org

Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.

AnalysisAI

Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with Kirki plugin active
Delivery
Enumerate or guess valid object identifiers
Exploit
Send unauthenticated HTTP request with manipulated object reference
Execution
Bypass authorization check in Kirki
Impact
Modify or disrupt target customizer object

Vulnerability AssessmentAI

Exploitation No authentication is required (PR:N per CVSS vector) and no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 Medium score is supported by a straightforward vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST or GET request to a WordPress site running Kirki <= 6.0.11, supplying a manipulated object identifier (such as another user's customizer setting ID or option reference) in the request parameters. Because Kirki does not verify that the requestor owns or has rights to the referenced object, the server processes the request and modifies or disrupts the target data. …
Remediation Update the Kirki plugin to the version that follows 6.0.11 as identified in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-insecure-direct-object-references-idor-vulnerability - the exact patched version number is not confirmed from available data and should be verified before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57680 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy