CVE-2026-8206 is a critical unauthenticated account takeover vulnerability in the Kirki WordPress plugin with a CVSS of 9.5 and confirmed active exploitation, with Wordfence reporting over 222 blocked attempts in a single 24-hour window. An unauthenticated attacker can redirect the password reset flow for any user account, including WordPress administrators, to an attacker-controlled address. A patch is available in version 6.0.7 and should be applied immediately; organizations that cannot patch should disable the plugin or block password reset endpoints at the WAF.