{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/kirki--freeform-page-builder-website-builder--customizer-plugin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-8073"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Kirki – Freeform Page Builder, Website Builder \u0026 Customizer plugin"],"_cs_severities":["high"],"_cs_tags":["cve","wordpress","file-deletion"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Kirki – Freeform Page Builder, Website Builder \u0026amp; Customizer plugin for WordPress, versions 6.0.6 and earlier, contains an arbitrary file deletion vulnerability (CVE-2026-8073). This flaw stems from a lack of sufficient file path validation and the absence of a capability check within the \u0026lsquo;downloadZIP\u0026rsquo; function. Unauthenticated attackers can exploit this to read and delete arbitrary files, provided they are located within the WordPress uploads base directory. This poses a significant risk to WordPress sites using the Kirki plugin, potentially leading to data loss and service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using a vulnerable version of the Kirki plugin (\u0026lt;= 6.0.6).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;downloadZIP\u0026rsquo; function.\u003c/li\u003e\n\u003cli\u003eThe request contains a manipulated file path, bypassing insufficient validation, to point to a target file within the WordPress uploads directory.\u003c/li\u003e\n\u003cli\u003eThe \u0026lsquo;downloadZIP\u0026rsquo; function, lacking capability checks, processes the request without proper authorization.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers file deletion within the WordPress uploads directory using path traversal.\u003c/li\u003e\n\u003cli\u003eThe targeted file is deleted from the server.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to delete multiple files within the uploads directory.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary file deletion, potentially leading to data loss or site defacement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8073 allows unauthenticated attackers to delete arbitrary files within the WordPress uploads directory. This can lead to significant data loss, site defacement, or disruption of services. The vulnerability affects all WordPress sites using Kirki plugin versions 6.0.6 and earlier. A CVSS v3.1 score of 7.5 indicates a high severity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Kirki plugin to the latest version to patch CVE-2026-8073.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-8073 Exploitation — Kirki Arbitrary File Deletion\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests to \u0026lsquo;downloadZIP\u0026rsquo; function with path traversal attempts, using the log source detailed in the provided Sigma rules.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T19:18:19Z","date_published":"2026-05-19T19:18:19Z","id":"https://feed.craftedsignal.io/briefs/2026-05-kirki-file-deletion/","summary":"The Kirki plugin for WordPress is vulnerable to arbitrary file deletion via CVE-2026-8073 due to insufficient file path validation and a missing capability check in the 'downloadZIP' function, allowing unauthenticated attackers to delete files within the WordPress uploads directory.","title":"WordPress Kirki Plugin Arbitrary File Deletion (CVE-2026-8073)","url":"https://feed.craftedsignal.io/briefs/2026-05-kirki-file-deletion/"}],"language":"en","title":"CraftedSignal Threat Feed — Kirki – Freeform Page Builder, Website Builder \u0026 Customizer Plugin","version":"https://jsonfeed.org/version/1.1"}