{"api_version":"1","generated_at":"2026-05-28T05:01:09+00:00","cve":"CVE-2026-8073","urls":{"html":"https://cve.report/CVE-2026-8073","api":"https://cve.report/api/cve/CVE-2026-8073.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-8073","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-8073"},"summary":{"title":"Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP","description":"The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2026-05-19 19:16:51","updated_at":"2026-05-19 21:00:47"},"problem_types":["CWE-23","CWE-23 CWE-23 Relative Path Traversal"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php","name":"https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60","name":"https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-8073","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-8073","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"themeum","product":"Kirki – Freeform Page Builder, Website Builder & Customizer","version":"affected 6.0.6 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-05-15T13:15:09.000Z","lang":"en","value":"Vendor Notified"},{"source":"CNA","time":"2026-05-19T06:24:51.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Rafie Muhammad","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"8073","cve":"CVE-2026-8073","epss":"0.001180000","percentile":"0.302500000","score_date":"2026-05-27","updated_at":"2026-05-28 00:02:14"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-8073","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-05-19T19:59:34.814729Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-05-19T20:01:00.455Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"Kirki – Freeform Page Builder, Website Builder & Customizer","vendor":"themeum","versions":[{"lessThanOrEqual":"6.0.6","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Rafie Muhammad"}],"descriptions":[{"lang":"en","value":"The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}],"metrics":[{"cvssV3_1":{"baseScore":7.5,"baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-23","description":"CWE-23 Relative Path Traversal","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-19T18:33:52.658Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"},{"url":"https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"},{"url":"https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}],"timeline":[{"lang":"en","time":"2026-05-15T13:15:09.000Z","value":"Vendor Notified"},{"lang":"en","time":"2026-05-19T06:24:51.000Z","value":"Disclosed"}],"title":"Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2026-8073","datePublished":"2026-05-19T18:33:52.658Z","dateReserved":"2026-05-07T09:46:46.353Z","dateUpdated":"2026-05-19T20:01:00.455Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-19 19:16:51","lastModifiedDate":"2026-05-19 21:00:47","problem_types":["CWE-23","CWE-23 CWE-23 Relative Path Traversal"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"8073","Ordinal":"1","Title":"Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and","CVE":"CVE-2026-8073","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"8073","Ordinal":"1","NoteData":"The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.","Type":"Description","Title":"Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and"}]}}}