Skip to main content

Kirki

5 CVEs product

Monthly

CVE-2026-57724 CRITICAL Act Now

Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Because Kirki is a developer toolkit bundled into many premium WordPress themes, exposure depends on which theme/plugin code passes attacker-controllable input into its deserialization path.

Deserialization Kirki
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57725 HIGH This Week

Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attacker persist malicious script that executes in the browsers of users who later view the affected page or admin screen. Because the CVSS scope is marked changed (S:C), a successful payload can act beyond the vulnerable component's boundary, affecting whoever renders the stored input. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Kirki
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57726 CRITICAL Act Now

Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Kirki
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57727 HIGH This Week

Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.

Authentication Bypass Kirki
NVD
CVSS 3.1
7.5
EPSS
0.4%
CVE-2026-57680 MEDIUM This Month

Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.

Authentication Bypass Kirki
NVD
CVSS 3.1
6.5
EPSS
0.3%
EPSS 1% CVSS 9.8
CRITICAL Act Now

Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Because Kirki is a developer toolkit bundled into many premium WordPress themes, exposure depends on which theme/plugin code passes attacker-controllable input into its deserialization path.

Deserialization Kirki
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the Themeum Kirki WordPress customizer framework (versions through 6.0.11) lets an attacker persist malicious script that executes in the browsers of users who later view the affected page or admin screen. Because the CVSS scope is marked changed (S:C), a successful payload can act beyond the vulnerable component's boundary, affecting whoever renders the stored input. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

XSS Kirki
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the Themeum Kirki WordPress customizer framework (all versions up to and including 6.0.12) lets remote attackers inject SQL through improperly neutralized special elements, per the CVSS PR:N vector without authentication, to infer and extract database contents. The scope-changed CVSS 3.1 score of 9.3 reflects impact reaching beyond the plugin's own security boundary into the wider WordPress database. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.

SQLi Kirki
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Broken access control in the Themeum Kirki WordPress customizer framework (versions up to and including 6.0.13) allows remote unauthenticated attackers to reach functionality protected by incorrectly configured access-control levels, resulting in disclosure of sensitive information. The flaw was reported by Patchstack and stems from a missing authorization check (CWE-862); no public exploit has been identified at time of analysis. With a CVSS of 7.5 driven purely by confidentiality impact, the practical risk is unauthorized data exposure rather than site takeover.

Authentication Bypass Kirki
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated IDOR in the Kirki WordPress customizer toolkit (versions <= 6.0.11) allows remote unauthenticated attackers to reference and manipulate object identifiers they do not own, resulting in unauthorized modification of data and limited availability disruption. The vulnerability carries no confidentiality impact per the CVSS vector (C:N), but the combination of network-exploitability with zero authentication requirements (AV:N/AC:L/PR:N/UI:N) makes it trivially accessible to any internet-facing WordPress installation running an affected version. No public exploit code or CISA KEV listing has been identified at the time of analysis.

Authentication Bypass Kirki
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy