Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs
Threat actors are exploiting vulnerable Kirki and Burst Statistics deployments to elevate privileges and take over websites. The post Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs appeared first on SecurityWeek.
Hundreds of thousands of websites are potentially exposed to attacks exploiting two vulnerabilities in the Kirki and Burst Statistics WordPress plugins, Defiant warns.
Kirki provides website and freeform page creation, and WordPress customizer enhancements. The plugin’s versions 6.0.0 to 6.0.6 are affected by an unauthenticated privilege escalation and account takeover bug.
Tracked as CVE-2026-8206 (CVSS score of 9.8), the issue impacted the plugin’s password reset flow, which allowed attackers to provide a username and an arbitrary email address and have a password reset key sent to that address.
Source: https://www.securityweek.com/kirki-burst-statistics-wordpress-plugin-flaws-in-attackers-crosshairs/
Related breach coverage
- WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites2026-06-01
The security defect (CVE-2026-8732) allows unauthenticated attackers to create administrative accounts on the affected installations. The post WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites appeared first on SecurityWeek.
- PoC Released for DirtyDecrypt Linux Kernel Vulnerability2026-05-19
Patched in April, the underlying vulnerability allows local attackers to elevate their privileges to root. The post PoC Released for DirtyDecrypt Linux Kernel Vulnerability appeared first on SecurityWeek.
- Organizations Warned of Exploited Linux Kernel Vulnerability2026-06-03
An improper authentication bug allows attackers to escalate their privileges and escape containers. The post Organizations Warned of Exploited Linux Kernel Vulnerability appeared first on SecurityWeek.
- The Zero-Knowledge Threat Actor and the End of Responsible Disclosure2026-06-02
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. The post The Zero-Knowledge Threat Actor and the End of Responsible Disclosure appeared first on SecurityWeek.