WordPress Kirki Plugin Vulnerable to Arbitrary File Deletion

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityarbitrary-file-accesscwe-23
WordPress Kirki Plugin Vulnerable to Arbitrary File Deletion

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress contains a critical arbitrary file deletion vulnerability, identified as CVE-2026-8073. According to the National Vulnerability Database, all versions up to and including 6.0.6 are affected. The flaw stems from insufficient file path validation and a missing capability check within the downloadZIP function.

This vulnerability allows unauthenticated attackers to delete arbitrary files. While the National Vulnerability Database specifies this is limited to the WordPress uploads base directory, the implications are still severe. An attacker could wipe legitimate site content, critical configuration files within that directory, or even force a site into an unrecoverable state, leading to significant downtime and data loss.

With a CVSS score of 7.5 (HIGH), this is not a vulnerability to ignore. Defenders running WordPress sites utilizing the Kirki plugin must understand that this is an unauthenticated attack vector, meaning anyone can exploit it without needing valid credentials. The attacker’s calculus is simple: high impact, low effort. Patching immediately is the only viable defense against such a direct threat.

What This Means For You

  • If your WordPress site uses the Kirki plugin, immediately check your version. Patch to the latest secure release to prevent unauthenticated arbitrary file deletion. Do not delay; this is a high-severity, unauthenticated vulnerability that can lead to site defacement or data loss.

Related ATT&CK Techniques

T1083 File and Directory Discovery Discovery T1485 Data Destruction Impact T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

WordPress Kirki Plugin Arbitrary File Deletion - downloadZIP Function - CVE-2026-8073

Sigma YAML — free preview 
title: WordPress Kirki Plugin Arbitrary File Deletion - downloadZIP Function - CVE-2026-8073
id: scw-2026-05-19-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit CVE-2026-8073 in the Kirki WordPress plugin. It specifically looks for the 'kirki_ajax_fallback' action combined with 'kirki_download_zip' in the URI query, which is indicative of the arbitrary file deletion vulnerability in the 'downloadZIP' function. This allows unauthenticated attackers to delete arbitrary files within the WordPress uploads directory.
author: SCW Feed Engine (AI-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8073/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=kirki_ajax_fallback'
          - 'kirki_download_zip'
      cs-method|exact:
          - 'POST'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8073 Arbitrary File Deletion Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress
CVE-2026-8073 Arbitrary File Deletion Kirki plugin versions up to, and including, 6.0.6
CVE-2026-8073 Arbitrary File Deletion Vulnerable function: 'downloadZIP'
CVE-2026-8073 Arbitrary File Deletion Attack vector: insufficient file path validation and missing capability check
CVE-2026-8073 Arbitrary File Deletion Impact: unauthenticated attackers can read and delete arbitrary files in WordPress uploads directory

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma