PT-2026-54939 · Themeum · Kirki – Freeform Page Builder
Jagadesh Achanta
·
Published
2026-07-02
·
Updated
2026-07-02
·
CVE-2026-12122
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get single symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki symbol post — including unpublished drafts — by supplying a sequential WordPress post ID.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kirki – Freeform Page Builder