Skip to main content

Kirki Freeform Page Builder Website Builder Customizer

2 CVEs product

Monthly

CVE-2026-12472 MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2026-12122 MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure Kirki Freeform Page Builder Website Builder Customizer
NVD
CVSS 3.1
5.3
EPSS
0.5%
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass WordPress Kirki Freeform Page Builder Website Builder Customizer
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.

Authentication Bypass WordPress Information Disclosure +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy