CVE-2026-8096

Name of the Vulnerable Software and Affected Versions Kirki – Freeform Page Builder, Website Builder & Customizer versions prior to 6.0.7

Description The plugin fails to properly verify if a user is authorized to perform specific actions. This allows authenticated attackers with subscriber-level access or higher to bypass authorization and view all frontend forms, as well as read stored visitor form submission data, such as contact details and messages.

Recommendations Update the plugin to a version later than 6.0.6.