ctipilot.ch

Kirki WordPress Freeform Page Builder 6.0.0-6.0.6 unauthenticated password-reset hijack → admin account takeover; actively exploited; fix v6.0.7

cve · CVE-2026-8206

Coverage timeline
1
first 2026-06-04 → last 2026-06-04
Peak priority
high
1 high
Sources cited
5
4 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
1
see Related entities below
ATT&CK techniques
1
pinned v19.1 · see below

ATT&CK techniques

1 technique observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Persistence TA0003

T1136.001Create Account: Local Account×1

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Evidence: 2026-06-04/cve-2026-8206-cve-2026-8181-kirki-and-burst-statistics-wordp · ATT&CK page ↗

Story timeline

  1. 2026-06-04CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com2 (40%)
  • heise.de1 (20%)
  • patchstack.com1 (20%)
  • securityweek.com1 (20%)

Co-occurring entities

Derived — referenced by the same focused operational entries (weekly summaries and report roundups don't count); ×N counts the shared entries.

Entries about Kirki WordPress Freeform Page Builder 6.0.0-6.0.6 unauthenticated password-reset hijack → admin account takeover; actively exploited; fix v6.0.7 (1)

2026-06-04 · view entry permalink →

HIGHCVE-2026-8206 +1exploited

CVE-2026-8206 + CVE-2026-8181 — Kirki and Burst Statistics WordPress plugins: unauthenticated account takeover under active mass-exploitation

Two unauthenticated flaws in widely deployed WordPress plugins are under active mass-exploitation (SecurityWeek, 2026-06-03). CVE-2026-8206 — Kirki Freeform Page Builder 6.0.0–6.0.6 (500k installs): the custom REST endpoint handle_forgot_password() accepts an attacker-supplied email alongside a victim username and routes the genuine reset link to the attacker, giving full takeover of any account including admin; Wordfence blocked 222+ attempts within 24 h of the 2 June disclosure, fix is v6.0.7 (BleepingComputer, 2026-06-02). CVE-2026-8181 — Burst Statistics, versions 3.4.0 through 3.4.1.1 (200k installs): the plugin mis-validates WordPress application passwords in its REST API authentication path, letting an unauthenticated attacker impersonate any known admin over the REST API and create rogue admin accounts (T1136.001); ~7,400 attacks blocked in a single 24 h peak, fix is v3.4.2 (BleepingComputer, 2026-06-02 · heise Security, 2026-06-03). Hunt WordPress access logs for unauthenticated REST calls to /wp-json/kirki/* and the Burst Statistics REST endpoints, and for unexpected admin-user creation.

Wordfence security blocked over 222 active exploitation attempts within 24 hours of public disclosure

BleepingComputer
vulnerability04 Jun 05:00Zmulti-sourceOpen finding ↗