Kirki Freeform Page Builder Website Builder Customizer
Monthly
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.
Authorization bypass in the Kirki Freeform Page Builder plugin for WordPress (all versions through 6.0.11) enables unauthenticated remote attackers to trigger arbitrary HTML-injected emails to any registered user via the site's own mail infrastructure. Because the email is dispatched through the site's authenticated SMTP path, it inherits the domain's SPF and DKIM reputation, substantially increasing phishing credibility. Critically, attackers can embed a genuine, site-generated WordPress password-reset URL for the target account inside an attacker-controlled HTML body, creating a highly convincing credential-harvesting lure. No public exploit or CISA KEV listing is confirmed at time of analysis.
Unauthenticated sensitive information exposure in the Kirki - Freeform Page Builder, Website Builder & Customizer WordPress plugin (versions through 6.0.11) permits any remote attacker to retrieve the full builder metadata and rendered HTML of any kirki_symbol post - including unpublished drafts - by issuing a crafted AJAX request with a sequential WordPress post ID. The root cause is a missing authorization check (CWE-862) in the get_single_symbol AJAX handler registered in includes/Ajax.php, confirmed by Wordfence. No active exploitation is confirmed in CISA KEV, and no EPSS data was provided, but the trivially automatable nature of post ID enumeration against an unauthenticated network endpoint elevates practical risk above the raw CVSS 5.3 score suggests.