{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8073", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-05-07T09:46:46.353Z", "datePublished": "2026-05-19T18:33:52.658Z", "dateUpdated": "2026-05-19T20:01:00.455Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-19T18:33:52.658Z"}, "affected": [{"vendor": "themeum", "product": "Kirki \u2013 Freeform Page Builder, Website Builder & Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}], "title": "Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"}, {"url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-23 Relative Path Traversal", "cweId": "CWE-23", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad"}], "timeline": [{"time": "2026-05-15T13:15:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-05-19T06:24:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-19T19:59:34.814729Z", "id": "CVE-2026-8073", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T20:01:00.455Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8073", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-05-07T09:46:46.353Z", "datePublished": "2026-05-19T18:33:52.658Z", "dateUpdated": "2026-05-19T20:01:00.455Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-19T18:33:52.658Z"}, "affected": [{"vendor": "themeum", "product": "Kirki \u2013 Freeform Page Builder, Website Builder & Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}], "title": "Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"}, {"url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-23 Relative Path Traversal", "cweId": "CWE-23", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad"}], "timeline": [{"time": "2026-05-15T13:15:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-05-19T06:24:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-19T19:59:34.814729Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T20:00:32.657Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}], "id": "CVE-2026-8073", "lastModified": "2026-05-19T19:16:51.577", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-05-19T19:16:51.577", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"created": "2026-05-19T20:30:13.401901+00:00", "updated": "2026-05-19T20:30:13.401912+00:00", "vendors": []}