Skip to main content

Kirki Page Builder EUVDEUVD-2026-45131

| CVE-2026-15457 MEDIUM
Path Traversal (CWE-22)
2026-07-17 Wordfence GHSA-wpxg-qxjj-h86m
4.9
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Directory deletion impacts integrity and availability, not confidentiality; C:H in the NVD vector contradicts the described impact and is replaced with I:H/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 05:16 vuln.today
CVE Published
Jul 17, 2026 - 03:43 cve.org
MEDIUM 4.9

DescriptionNVD

The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.

AnalysisAI

Directory traversal via the unsanitized 'family' parameter in the Kirki plugin for WordPress (all versions up to and including 6.0.13) enables authenticated users holding editor-level access or above to delete arbitrary directories on the server filesystem, risking data loss and site unavailability. Reported by Wordfence, the flaw originates in insufficient path validation within FontService.php and GlobalDataController.php, which process the 'family' parameter without canonicalization or boundary enforcement. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise WordPress editor credentials
Delivery
Authenticate to target WordPress site
Exploit
Craft API request with path traversal payload in 'family' parameter
Execution
FontService.php resolves traversed path without sanitization
Persist
Plugin deletes arbitrary server directory
Impact
Irreversible data loss or site availability disruption

Vulnerability AssessmentAI

Exploitation Exploitation requires an active authenticated WordPress session with editor-level access or higher (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, score 4.9) contains a material inconsistency: C:H implies high confidentiality impact, yet the CVE description exclusively describes directory deletion resulting in data loss and availability disruption - not information disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds or has compromised an editor-level WordPress account on a site running Kirki 6.0.13 or earlier sends a crafted POST request to the plugin's font management API endpoint, supplying a path traversal sequence (e.g., '../../wp-content/uploads') in the 'family' parameter. FontService.php resolves the traversed path and deletes the targeted directory without validation, permanently destroying the contents. …
Remediation A code-level fix has been committed to the WordPress plugin repository as changeset 3608888 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3608888%40kirki&new=3608888%40kirki); however, a specific patched release version number is not confirmed from available data - update the Kirki plugin immediately when an update appears in the WordPress.org plugin dashboard, as the changeset indicates an upstream fix is ready. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45131 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy