A successful exploit gives an attacker full control of a WordPress website, including the ability to exfiltrate stored data, install malicious code, redirect visitors to harmful sites, or destroy content entirely. For organizations using WordPress as a customer-facing presence, e-commerce platform, or internal portal, a takeover creates direct exposure to regulatory penalties under data protection laws if customer or employee data is accessed. The reputational and financial cost of a defaced or weaponized website — particularly one used to distribute malware to visitors — can far exceed the cost of an emergency patch.
You Are Affected If
You run the Kirki – Freeform Page Builder, Website Builder & Customizer plugin (themeum) version 6.0.0 through 6.0.6 on any WordPress installation
Your WordPress site is internet-facing and the password reset endpoint (wp-login.php?action=lostpassword) is publicly accessible
You have not updated the Kirki plugin beyond version 6.0.6 or have not disabled it pending patching
Your WordPress site has registered user accounts, particularly accounts with administrator or editor privileges
You do not have a WAF rule blocking or restricting access to the WordPress password reset flow
Board Talking Points
A critical flaw in a widely-used WordPress plugin allows any outsider to take over any account on affected websites, including administrator accounts, with no login required.
All WordPress sites running the affected Kirki plugin versions should be patched or have the plugin disabled immediately — this week, not next.
Without action, any affected site is fully exposed to takeover, data theft, and weaponization against your own visitors.
GDPR / regional data protection law — WordPress administrator account takeover may expose stored user personal data (names, emails, account records), triggering breach notification obligations
PCI-DSS — if the affected WordPress installation processes or hosts payment-related content or integrates with payment flows, full admin access constitutes a cardholder data environment compromise
