The Kirki WordPress plugin versions 6.0.0 through 6.0.6 suffer from an unauthenticated privilege escalation vulnerability (CVE-2026-8206, CVSS 9.8) due to a flawed password reset mechanism that allows attackers to specify a username and arbitrary email address to receive valid password reset links, enabling account takeover including administrative accounts. The Burst Statistics plugin versions 3.4.0 to 3.4.1.1 have an authentication bypass vulnerability in the application password validation logic of the REST API, which incorrectly authenticates attacker-supplied administrator credentials, allowing unauthorized access to admin-level REST API functions such as creating new admin accounts. Both vulnerabilities have been exploited in the wild, affecting hundreds of thousands of websites. Vendor patches are available and users are urged to update to Kirki 6.0.7 or newer and Burst Statistics 3.4.2 or newer.

Successful exploitation of these vulnerabilities allows unauthenticated attackers to escalate privileges to administrator level and take full control of affected WordPress websites. This includes resetting passwords of high-privilege accounts in Kirki or impersonating administrators via the REST API in Burst Statistics, potentially leading to complete site takeover, unauthorized content modification, data theft, or use of the site for further attacks. Thousands of attacks have been detected and blocked recently, indicating active exploitation attempts.

Official patches addressing these vulnerabilities have been released. Users should immediately update Kirki to version 6.0.7 or later and Burst Statistics to version 3.4.2 or later to remediate the security flaws. Applying these updates will prevent exploitation of the privilege escalation and authentication bypass issues. No additional mitigation steps are required beyond applying the vendor-provided fixes.