Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Subscriber account (PR:L) required; AC:H reflects specific trigger conditions; Scope:Changed and C:L/I:L capture internal service reachability without direct system compromise.
Primary rating from Vendor (patchstack).
CVSS VectorVendor: patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Server Side Request Forgery (SSRF) in Kirki <= 6.0.11 versions.
AnalysisAI
Server-Side Request Forgery in the Kirki WordPress customizer framework plugin (versions up to and including 6.0.11) allows authenticated subscriber-level users to induce the server to issue arbitrary HTTP requests to internal or external network destinations. The Scope:Changed CVSS designation confirms the exploit can pivot beyond the WordPress application itself to reach internal infrastructure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress account with at minimum the 'subscriber' role (PR:L confirmed by CVSS vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS score of 4.9 (Medium) reflects a genuine balance of factors: the attack is network-reachable (AV:N) with no user interaction (UI:N), but requires a subscriber account (PR:L) and elevated attack complexity (AC:H), which materially limits opportunistic exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker self-registers a subscriber account on a WordPress site running Kirki ≤ 6.0.11 and submits a crafted authenticated request to the vulnerable Kirki endpoint containing an attacker-controlled URL pointing to an internal cloud metadata service (e.g., http://169.254.169.254/latest/meta-data/). The WordPress server issues the outbound HTTP request and potentially returns the response to the attacker, exposing instance credentials or internal network topology. … |
| Remediation | Upstream fix availability is not independently confirmed from the available data - the Patchstack reference at https://patchstack.com/database/wordpress/plugin/kirki/vulnerability/wordpress-kirki-plugin-6-0-11-server-side-request-forgery-ssrf-vulnerability should be consulted for the latest patch release and confirmed fixed version. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39743
GHSA-49ff-frjv-g5x5