Kirki – Freeform Page Builder, Website Builder & Customizer Plugin

The Kirki plugin for WordPress is vulnerable to arbitrary file deletion via CVE-2026-8073 due to insufficient file path validation and a missing capability check in the 'downloadZIP' function, allowing unauthenticated attackers to delete files within the WordPress uploads directory.