If your website runs on WordPress, this one needs your attention today. A critical flaw in the Kirki theme customiser plugin — tracked as CVE-2026-8206 and rated 9.8 out of 10 — lets an attacker take over an administrator account without ever logging in, as reported by BleepingComputer. The plugin’s password-reset function accepts an email address supplied by the attacker, so they simply request a reset for your admin username, point it at their own inbox, and walk straight in. Security firm Wordfence says it blocked more than 222 of these attacks in a single day.

Kirki is bundled with a lot of themes, so plenty of site owners are running it without realising. It’s active on more than 500,000 sites worldwide. A hijacked WordPress site isn’t a minor nuisance — attackers use that access to deface pages, plant malware that infects your visitors, skim customer data, and quietly add their own admin accounts to keep a foothold. If customer information is exposed, you’re also into Privacy Act and Notifiable Data Breaches territory.

Here’s what to do. Update Kirki to version 6.0.7 or later straight away — the fix has been out since 18 May. If you can’t update immediately, deactivate the plugin until you can. Then check your list of admin users for anything unfamiliar, force a password reset on the legitimate accounts, and review recent login activity. If you’re not sure whether Kirki is even installed (it’s often pulled in by a theme), ask whoever manages your site.

Not confident your site’s covered? Our team can audit your WordPress setup and lock down access — see our cybersecurity services.