CVE-2026-8206 is a critical unauthenticated account takeover vulnerability in the Kirki WordPress plugin affecting versions 6.0.0 through 6.0.6. An attacker with no credentials can redirect any user’s password reset email to an attacker-controlled address, achieving full administrator-level account takeover. Active exploitation is confirmed in the wild, and CISA has added this CVE to the Known Exploited Vulnerabilities catalog.