Skip to main content

Kirki WordPress Plugin EUVDEUVD-2026-39743

| CVE-2026-57627 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-26 audit@patchstack.com GHSA-49ff-frjv-g5x5
4.9
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.9 MEDIUM

Subscriber account (PR:L) required; AC:H reflects specific trigger conditions; Scope:Changed and C:L/I:L capture internal service reachability without direct system compromise.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:15 vuln.today

DescriptionCVE.org

Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.

AnalysisAI

Server-Side Request Forgery in the Kirki WordPress customizer framework plugin (versions up to and including 6.0.11) allows authenticated subscriber-level users to induce the server to issue arbitrary HTTP requests to internal or external network destinations. The Scope:Changed CVSS designation confirms the exploit can pivot beyond the WordPress application itself to reach internal infrastructure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise subscriber account
Delivery
Identify vulnerable Kirki SSRF endpoint
Exploit
Craft request with internal target URL
Execution
WordPress server issues forged HTTP request
Persist
Read response from internal service or metadata endpoint
Impact
Pivot using leaked credentials or topology data

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account with at minimum the 'subscriber' role (PR:L confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 4.9 (Medium) reflects a genuine balance of factors: the attack is network-reachable (AV:N) with no user interaction (UI:N), but requires a subscriber account (PR:L) and elevated attack complexity (AC:H), which materially limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker self-registers a subscriber account on a WordPress site running Kirki ≤ 6.0.11 and submits a crafted authenticated request to the vulnerable Kirki endpoint containing an attacker-controlled URL pointing to an internal cloud metadata service (e.g., http://169.254.169.254/latest/meta-data/). The WordPress server issues the outbound HTTP request and potentially returns the response to the attacker, exposing instance credentials or internal network topology. …
Remediation Upstream fix availability is not independently confirmed from the available data - the Patchstack reference at https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-server-side-request-forgery-ssrf-vulnerability should be consulted for the latest patch release and confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-39743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy