Keypoints
- CVE-2026-8206 affects the Kirki WordPress plugin.
- The flaw lets unauthenticated attackers take over any user account.
- Password reset links can be sent to attacker-controlled email addresses.
- Wordfence blocked over 222 exploitation attempts in 24 hours.
- Users should upgrade to version 6.0.7 or disable the plugin.