WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Kirki safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Kirki WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: kirki
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): <8.0

Known vulnerabilities

  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.7 [CVE-2026-8096, Kirki <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Sensitive Form Submission Data Exposure via 'kirki_wp_admin_get_apis' Action, EUVD-2026-30971]
  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.7 [CVE-2026-8073, Kirki <= 6.0.6 - Unauthenticated Limited Arbitrary File Read and Deletion via downloadZIP, EUVD-2026-30976, WordPress Kirki – Freeform Page Builder, Website Builder &amp; Customizer Plugin <= 6.0.6 is vulnerable to a high priority Arbitrary File Download]
  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.7 [CVE-2026-8206, Kirki 6.0.0 - 6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password']
  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.12 [CVE-2026-57627, Kirki – Freeform Page Builder, Website Builder & Customizer <= 6.0.11 - Authenticated (Subscriber+) Server-Side Request Forgery]
  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.12 [CVE-2026-12122, Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Sensitive Information Exposure via kirki_post_apis_nopriv AJAX Action]
+ 2 more known vulnerabilities
  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.12 [CVE-2026-12472, Kirki <= 6.0.11 - Missing Authorization to Unauthenticated Arbitrary Email Content Injection (Mail Relay / Phishing) via 'emailBody' and 'emailSubject' Parameters]
  • Kirki – Freeform Page Builder, Website Builder &amp; Customizer [kirki] < 6.0.12 [CVE-2026-57680]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.