Critical Kirki flaw exploited to hijack WordPress admin accounts

Tuesday, June 2, 2026 at 10:12 PM UTC·Source: BleepingComputer

Updated: Tuesday, June 2, 2026 at 11:00 PM UTC

Executive Summary

Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]

Analysis

Indicators of Compromise (1)

CVE (1)

CVE-2026-8206

NVD MITRE CVE

Source Attribution

Originally published by BleepingComputer on Jun 2, 2026.

Related Threats

MEDIUMVulnerabilityNEW

Apple Wallet to get bill-splitting tool

Apple is prepping an iPhone feature that will enable users to split bills in by taking a photograph of a receipt, according to Bloomberg.

14m agoFinextra

CRITICALVulnerabilityNEW

Two-year old Oracle WebLogic Server vulnerability is being exploited

US federal government departments have been given until Thursday to patch a two-year old high severity vulnerability in Oracle WebLogic Server that could allow an unauthenticated attacker to access critical data. The vulnerability, CVE-2024-21182 , was added Monday to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog , giving federal Oracle

CVE-2024-21182CVE-2026-21962

40m agoCSO Online

MEDIUMVulnerabilityNEW

Most organizations that miss 24-hour patch window report breaches

Steve Zurier reports: The Cloud Security Alliance (CSA) found that 80% of organizations that miss the 24-hour patch window report security incidents involving known vulnerabilities. CSA’s study, released June 2, also found that even pre-production controls are not stopping known flaws in the AI age as 82% of organizations lack real-time visibility into AI runtime behavior.... Source

50m agoDataBreaches.net