WordPress · Kirki · CVE-2026-8096
**Name of the Vulnerable Software and Affected Versions**
Kirki – Freeform Page Builder, Website Builder & Customizer versions prior to 6.0.7
**Description**
The plugin fails to properly verify if a user is authorized to perform specific actions. This allows authenticated attackers with subscriber-level access or higher to bypass authorization and view all frontend forms, as well as read stored visitor form submission data, such as contact details and messages.
**Recommendations**
Update the plugin to a version later than 6.0.6.