WordPress Kirki Plugin Arbitrary File Deletion (CVE-2026-8073)

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress, versions 6.0.6 and earlier, contains an arbitrary file deletion vulnerability (CVE-2026-8073). This flaw stems from a lack of sufficient file path validation and the absence of a capability check within the ‘downloadZIP’ function. Unauthenticated attackers can exploit this to read and delete arbitrary files, provided they are located within the WordPress uploads base directory. This poses a significant risk to WordPress sites using the Kirki plugin, potentially leading to data loss and service disruption.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using a vulnerable version of the Kirki plugin (<= 6.0.6).
2. The attacker crafts a malicious HTTP request targeting the ‘downloadZIP’ function.
3. The request contains a manipulated file path, bypassing insufficient validation, to point to a target file within the WordPress uploads directory.
4. The ‘downloadZIP’ function, lacking capability checks, processes the request without proper authorization.
5. The attacker triggers file deletion within the WordPress uploads directory using path traversal.
6. The targeted file is deleted from the server.
7. The attacker can repeat this process to delete multiple files within the uploads directory.
8. The attacker achieves arbitrary file deletion, potentially leading to data loss or site defacement.

Impact

Successful exploitation of CVE-2026-8073 allows unauthenticated attackers to delete arbitrary files within the WordPress uploads directory. This can lead to significant data loss, site defacement, or disruption of services. The vulnerability affects all WordPress sites using Kirki plugin versions 6.0.6 and earlier. A CVSS v3.1 score of 7.5 indicates a high severity.

Recommendation

• Upgrade the Kirki plugin to the latest version to patch CVE-2026-8073.
• Deploy the Sigma rule “Detect CVE-2026-8073 Exploitation — Kirki Arbitrary File Deletion” to your SIEM and tune for your environment.
• Monitor web server logs for suspicious requests to ‘downloadZIP’ function with path traversal attempts, using the log source detailed in the provided Sigma rules.