Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Directory deletion impacts integrity and availability, not confidentiality; C:H in the NVD vector contradicts the described impact and is replaced with I:H/A:H.
Primary rating from Vendor (Wordfence).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
The Kirki - Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.
AnalysisAI
Directory traversal via the unsanitized 'family' parameter in the Kirki plugin for WordPress (all versions up to and including 6.0.13) enables authenticated users holding editor-level access or above to delete arbitrary directories on the server filesystem, risking data loss and site unavailability. Reported by Wordfence, the flaw originates in insufficient path validation within FontService.php and GlobalDataController.php, which process the 'family' parameter without canonicalization or boundary enforcement. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an active authenticated WordPress session with editor-level access or higher (confirmed by CVSS PR:H). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N, score 4.9) contains a material inconsistency: C:H implies high confidentiality impact, yet the CVE description exclusively describes directory deletion resulting in data loss and availability disruption - not information disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds or has compromised an editor-level WordPress account on a site running Kirki 6.0.13 or earlier sends a crafted POST request to the plugin's font management API endpoint, supplying a path traversal sequence (e.g., '../../wp-content/uploads') in the 'family' parameter. FontService.php resolves the traversed path and deletes the targeted directory without validation, permanently destroying the contents. … |
| Remediation | A code-level fix has been committed to the WordPress plugin repository as changeset 3608888 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3608888%40kirki&new=3608888%40kirki); however, a specific patched release version number is not confirmed from available data - update the Kirki plugin immediately when an update appears in the WordPress.org plugin dashboard, as the changeset indicates an upstream fix is ready. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPr
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unaut
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45131
GHSA-wpxg-qxjj-h86m