Skip to main content

Kirki CVE-2026-57727

| EUVDEUVD-2026-43373 HIGH
Missing Authorization (CWE-862)
2026-07-13 Patchstack
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable endpoint (AV:N/AC:L/PR:N/UI:N) with a missing authorization check that leaks data, so C:H but I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:43 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.5

DescriptionCVE.org

Missing Authorization vulnerability in Themeum Kirki kirki allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Kirki: from n/a through <= 6.0.13.

AnalysisAI

Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Fingerprint WordPress site running Kirki ≤6.0.13
Exploit
Send unauthenticated request to Kirki endpoint
Execution
Bypass missing authorization check
Impact
Retrieve sensitive/configuration data

Vulnerability AssessmentAI

Exploitation Exploitation requires only that a vulnerable Kirki version (≤ 6.0.13) is installed and its affected endpoint is network-reachable - per the CVSS vector AV:N/AC:L/PR:N/UI:N, no authentication, no user interaction, and no special client configuration are needed against a default install. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderately consistent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker enumerates a target WordPress site, identifies that a vulnerable Kirki version (≤6.0.13) is present via theme fingerprinting, and sends a crafted unauthenticated HTTP request to the affected Kirki endpoint. Because the authorization check is missing, the request is served and returns configuration or other sensitive data the attacker should not be able to read. …
Remediation Upgrade Kirki to a release later than 6.0.13; the input confirms 6.0.13 and earlier are affected but does not state an exact fixed version, so released patched version is not independently confirmed - verify the fixed build via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-13-broken-access-control-vulnerability?_s_id=cve) and the official plugin/theme changelog before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: conduct an inventory of all WordPress instances using Themeum Kirki and confirm installed version numbers to establish exposure scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy