{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-8073", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-05-07T09:46:46.353Z", "datePublished": "2026-05-19T18:33:52.658Z", "dateUpdated": "2026-05-19T20:01:00.455Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-19T18:33:52.658Z"}, "affected": [{"vendor": "themeum", "product": "Kirki \u2013 Freeform Page Builder, Website Builder & Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}], "title": "Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"}, {"url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-23 Relative Path Traversal", "cweId": "CWE-23", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad"}], "timeline": [{"time": "2026-05-15T13:15:09.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-05-19T06:24:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-05-19T19:59:34.814729Z", "id": "CVE-2026-8073", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T20:01:00.455Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-8073", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-05-19T19:59:34.814729Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-05-19T20:00:32.657Z"}}], "cna": {"title": "Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP", "credits": [{"lang": "en", "type": "finder", "value": "Rafie Muhammad"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "themeum", "product": "Kirki \u2013 Freeform Page Builder, Website Builder & Customizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.0.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-05-15T13:15:09.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-05-19T06:24:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"}, {"url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}], "descriptions": [{"lang": "en", "value": "The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-23", "description": "CWE-23 Relative Path Traversal"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-05-19T18:33:52.658Z"}}}, "cveMetadata": {"cveId": "CVE-2026-8073", "state": "PUBLISHED", "dateUpdated": "2026-05-19T20:01:00.455Z", "dateReserved": "2026-05-07T09:46:46.353Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-05-19T18:33:52.658Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Kirki \u2013 Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory."}], "id": "CVE-2026-8073", "lastModified": "2026-05-19T21:00:47.093", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-05-19T19:16:51.577", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.1/includes/API.php#L60"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3535640/kirki/trunk/includes/API.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b073edd0-3f40-423e-976e-996b29caf66e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-23"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kirki \u2013 Freeform Page Builder, Website Builder & Customizer", "source": "cna", "vendor": "themeum"}, "product": "kirki_\u2013_freeform_page_builder,_website_builder_&_customizer", "vendor": "themeum"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "created": "2026-05-19T20:30:13.401901+00:00", "updated": "2026-05-20T10:39:07.112149+00:00", "vendors": ["themeum", "themeum$PRODUCT$kirki_\u2013_freeform_page_builder,_website_builder_&_customizer", "wordpress", "wordpress$PRODUCT$wordpress"]}