Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AJAX endpoint is unauthenticated and network-reachable by default; confidentiality impact is low as exposure is scoped to kirki_symbol post content only, with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by supplying a sequential WordPress post ID.
AnalysisAI
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The Kirki plugin (version ≤ 6.0.11) must be installed and active on the WordPress site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N scores 5.3 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker issues a series of HTTP POST requests to the target WordPress site's wp-admin/admin-ajax.php endpoint, specifying action=get_single_symbol and incrementing the post ID parameter from 1 upward. Because no authorization check is performed, the server returns the full builder metadata and rendered HTML for each matching kirki_symbol post, including any that are in draft or pending status and not yet publicly visible. … |
| Remediation | A fix has been committed to the WordPress plugin repository as changeset 3584702 (https://plugins.trac.wordpress.org/changeset?old=3584702%40kirki&new=3584702%40kirki); however, the exact patched release version number is not independently confirmed from the available data - update to the latest available version in the WordPress plugin directory and verify it is newer than 6.0.11. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unaut
Directory traversal via the unsanitized 'family' parameter in the Kirki plugin for WordPress (all versions up to and inc
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41264
GHSA-v9qp-6jjw-6rfv