Originally published at: CVE-2026-8206: Password reset flaw in Kirki plugin could enable account takeover - ToolsLib Blog
CVE-2026-8206 affects Kirki 6.0.0–6.0.6, allowing password reset emails to be sent to attacker-controlled addresses. Update from the WordPress directory now.