Share
## https://sploitus.com/exploit?id=64C0A7A5-05B6-588C-ACED-A80350092137
# ๐Ÿ›ก๏ธ AMN SECURITY ๐Ÿ›ก๏ธ

![CVE-2026-8206](https://img.shields.io/badge/CVE-2026--8206-8A2BE2?style=for-the-badge&logo=security&logoColor=white)
![CVSS 9.8](https://img.shields.io/badge/CVSS-9.8%20CRITICAL-red?style=for-the-badge&logo=expertsexchange&logoColor=white)
![Critical](https://img.shields.io/badge/Severity-CRITICAL-DC143C?style=for-the-badge&logo=fire&logoColor=white)
![WordPress](https://img.shields.io/badge/WordPress-Kirki%20Plugin-21759B?style=for-the-badge&logo=wordpress&logoColor=white)
![Unauthenticated](https://img.shields.io/badge/Auth-Unauthenticated-orange?style=for-the-badge&logo=unlock&logoColor=white)
![Account Takeover](https://img.shields.io/badge/Impact-Account%20Takeover-black?style=for-the-badge&logo=person&logoColor=white)

---

### ๐Ÿ”— Connect with AMN SECURITY

[![Website](https://img.shields.io/badge/Website-amn.amnoffsec.workers.dev-00FF00?style=for-the-badge&logo=googlechrome&logoColor=white)](https://amn.amnoffsec.workers.dev/)
[![Instagram](https://img.shields.io/badge/Instagram-@ixctw-E4405F?style=for-the-badge&logo=instagram&logoColor=white)](https://www.instagram.com/ixctw)
[![Email](https://img.shields.io/badge/Email-ayman.mahmoudoffsec%40gmail.com-D14836?style=for-the-badge&logo=gmail&logoColor=white)](mailto:ayman.mahmoudoffsec@gmail.com)

---







# ๐Ÿ‡ธ๐Ÿ‡ฆ CVE-2026-8206 - ุงุณุชูŠู„ุงุก ุนู„ู‰ ุญุณุงุจุงุช ูˆูˆุฑุฏุจุฑูŠุณ ุนุจุฑ ุฅุถุงูุฉ Kirki

## ๐Ÿ“‹ ุงู„ู…ู„ุฎุต ุงู„ุชู†ููŠุฐูŠ

**CVE-2026-8206** ู‡ูŠ ุซุบุฑุฉ ุฃู…ู†ูŠุฉ ุฎุทูŠุฑุฉ (ุชุตู†ูŠู: **9.8 CRITICAL**) ุชูˆุฌุฏ ููŠ ุฅุถุงูุฉ **Kirki** ู„ู†ุธุงู… ุฅุฏุงุฑุฉ ุงู„ู…ุญุชูˆู‰ **WordPress**. ุชุณู…ุญ ู‡ุฐู‡ ุงู„ุซุบุฑุฉ ู„ู„ู…ู‡ุงุฌู…ูŠู† ุบูŠุฑ ุงู„ู…ุณุฌู„ูŠู† (Unauthenticated attackers) ุจุงู„ุงุณุชูŠู„ุงุก ุงู„ูƒุงู…ู„ ุนู„ู‰ ุญุณุงุจุงุช ุงู„ู…ุณุชุฎุฏู…ูŠู† ุงู„ู…ุณุฌู„ูŠู† ููŠ ุงู„ู…ูˆู‚ุน ุงู„ู…ุณุชู‡ุฏู ุฏูˆู† ุงู„ุญุงุฌุฉ ุฅู„ู‰ ุฃูŠ ุตู„ุงุญูŠุงุช ุฃูˆ ุชูˆุซูŠู‚ ู…ุณุจู‚.

ุชุณุชุบู„ ุงู„ุซุบุฑุฉ ู†ู‚ุทุฉ ู†ู‡ุงูŠุฉ REST API ุงู„ุฎุงุตุฉ ุจู€ **CompLibFormHandler**ุŒ ุญูŠุซ ูŠู…ูƒู† ู„ู„ู…ู‡ุงุฌู… ุฅุนุงุฏุฉ ุชูˆุฌูŠู‡ ุฑุณุงุฆู„ ุฅุนุงุฏุฉ ุชุนูŠูŠู† ูƒู„ู…ุฉ ุงู„ู…ุฑูˆุฑ (Password Reset Emails) ุฅู„ู‰ ุนู†ูˆุงู† ุจุฑูŠุฏ ุฅู„ูƒุชุฑูˆู†ูŠ ูŠุชุญูƒู… ุจู‡ ุงู„ู…ู‡ุงุฌู…ุŒ ู…ู…ุง ูŠู…ูƒู†ู‡ ู…ู† ุชุนูŠูŠู† ูƒู„ู…ุฉ ู…ุฑูˆุฑ ุฌุฏูŠุฏุฉ ูˆุงู„ุฏุฎูˆู„ ุฅู„ู‰ ุงู„ุญุณุงุจ ุจุงู„ูƒุงู…ู„.

| ุงู„ูˆูƒูŠู„ | ุงู„ู‚ูŠู…ุฉ |
|--------|--------|
| CVE ID | CVE-2026-8206 |
| CVSS Score | 9.8 (Critical) |
| ุงู„ู…ุชุฌู‡ | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| ุงู„ู…ู†ุชุฌ | WordPress Kirki Plugin |
| ู†ูˆุน ุงู„ุซุบุฑุฉ | Unauthenticated Account Takeover |
| ุงู„ุชุณู„ุณู„ ุงู„ู‡ุฑู…ูŠ | CompLibFormHandler REST API |
| ุงู„ุชุฃุซูŠุฑ | ุงุณุชูŠู„ุงุก ูƒุงู…ู„ ุนู„ู‰ ุงู„ุญุณุงุจ |

---

## ๐Ÿ” ุชูุงุตูŠู„ ุงู„ุซุบุฑุฉ

ุชุณุชุบู„ ู‡ุฐู‡ ุงู„ุซุบุฑุฉ ุขู„ูŠุฉ ุฅุนุงุฏุฉ ุชุนูŠูŠู† ูƒู„ู…ุฉ ุงู„ู…ุฑูˆุฑ ููŠ ุฅุถุงูุฉ Kirki. ุชู‚ูˆู… ุงู„ุฅุถุงูุฉ ุจุชุนุฑูŠุถ ู†ู‚ุทุฉ ู†ู‡ุงูŠุฉ REST API ุชุณู…ุญ ุจุฅุฑุณุงู„ ุทู„ุจุงุช ุฅุนุงุฏุฉ ุชุนูŠูŠู† ูƒู„ู…ุฉ ุงู„ู…ุฑูˆุฑ. ู†ุธุฑู‹ุง ู„ุนุฏู… ูˆุฌูˆุฏ ุงู„ุชุญู‚ู‚ ุงู„ู…ู†ุงุณุจ ู…ู† ุงู„ู…ู„ูƒูŠุฉ ุฃูˆ ุงู„ู…ุตุงุฏู‚ุฉ ุนู„ู‰ ู‡ุฐู‡ ุงู„ู†ู‚ุทุฉุŒ ูŠู…ูƒู† ู„ู„ู…ู‡ุงุฌู…:

1. **ุชุญุฏูŠุฏ ุฃูŠ ุงุณู… ู…ุณุชุฎุฏู… ู…ุณุฌู„** ููŠ ู…ูˆู‚ุน WordPress ุงู„ู…ุณุชู‡ุฏู
2. **ุฅุฑุณุงู„ ุทู„ุจ ุฅุนุงุฏุฉ ุชุนูŠูŠู† ูƒู„ู…ุฉ ุงู„ู…ุฑูˆุฑ** ุฅู„ู‰ ู†ู‚ุทุฉ ู†ู‡ุงูŠุฉ REST API ุงู„ุถุนูŠูุฉ
3. **ุชูˆุฌูŠู‡ ุฑุงุจุท ุฅุนุงุฏุฉ ุงู„ุชุนูŠูŠู†** ุฅู„ู‰ ุนู†ูˆุงู† ุจุฑูŠุฏ ุฅู„ูƒุชุฑูˆู†ูŠ ูŠุชุญูƒู… ุจู‡ ุงู„ู…ู‡ุงุฌู…
4. **ุงุณุชู„ุงู… ุฑุงุจุท ุฅุนุงุฏุฉ ุงู„ุชุนูŠูŠู†** ูˆุชุนูŠูŠู† ูƒู„ู…ุฉ ู…ุฑูˆุฑ ุฌุฏูŠุฏุฉ
5. **ุชุณุฌูŠู„ ุงู„ุฏุฎูˆู„ ุฅู„ู‰ ุงู„ุญุณุงุจ** ุจุงุณู… ุงู„ู…ุณุชุฎุฏู… ุงู„ู…ุฎุชุฑู‚

### ุงู„ู…ูƒูˆู†ุงุช ุงู„ู…ุชุฃุซุฑุฉ

- `KirkiComponentLibrary` โ€“ ุงู„ู…ูƒูˆู†ุฉ ุงู„ุฑุฆูŠุณูŠุฉ
- `/wp-json/KirkiComponentLibrary/v1/kirki-forgot-password` โ€“ ู†ู‚ุทุฉ ู†ู‡ุงูŠุฉ REST API
- ุขู„ูŠุฉ ุฅุนุงุฏุฉ ุชุนูŠูŠู† ูƒู„ู…ุฉ ุงู„ู…ุฑูˆุฑ ููŠ Kirki

---

## โš™๏ธ ุขู„ูŠุฉ ุงู„ู‡ุฌูˆู…

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   Attacker      โ”‚     โ”‚  WordPress Site  โ”‚     โ”‚  Attacker Email  โ”‚
โ”‚   (Unauth)      โ”‚     โ”‚  (Kirki Plugin)  โ”‚     โ”‚                  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚                       โ”‚                        โ”‚
         โ”‚  1. Scan for Kirki    โ”‚                        โ”‚
         โ”‚  forms & extract nonceโ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  2. POST reset req    โ”‚                        โ”‚
         โ”‚  (username + attacker โ”‚                        โ”‚
         โ”‚   email)              โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  3. Server processes  โ”‚                        โ”‚
         โ”‚  request without auth โ”‚                        โ”‚
         โ”‚  verification         โ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  4. Reset link sent   โ”‚                        โ”‚
         โ”‚  to attacker email    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  5. Click reset link  โ”‚                        โ”‚
         โ”‚  & set new password   โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  6. Log in as victim  โ”‚                        โ”‚
         โ”‚  account takeover โœ”   โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
```

---

## ๐Ÿ› ๏ธ ุงุณุชุฎุฏุงู… ุงู„ุฃุฏุงุฉ

### ุงู„ู…ุชุทู„ุจุงุช

```bash
pip install requests beautifulsoup4
```

### ุงู„ุงุณุชูŠู„ุงุก ุนู„ู‰ ุญุณุงุจ ูˆุงุญุฏ

```bash
python3 CVE-2026-8206.py https://target-site.com -u admin -e attacker@gmail.com
```

### ุงุณุชู‡ุฏุงู ุญุณุงุจุงุช ู…ุชุนุฏุฏุฉ

```bash
python3 CVE-2026-8206.py https://target-site.com -e attacker@gmail.com --batch users.txt
```

### ุชุนุฏุงุฏ ุงู„ู…ุณุชุฎุฏู…ูŠู†

```bash
python3 CVE-2026-8206.py https://target-site.com -u admin -e attacker@gmail.com --enumerate
```

### ุฅุธู‡ุงุฑ ุงู„ู…ุฎุฑุฌุงุช ุงู„ุชูุตูŠู„ูŠุฉ

```bash
python3 CVE-2026-8206.py https://target-site.com -u admin -e attacker@gmail.com -v
```

### ุงู„ุฎูŠุงุฑุงุช ุงู„ู…ุชุงุญุฉ

| ุงู„ุฎูŠุงุฑ | ุงู„ูˆุตู |
|--------|-------|
| `target` | ุฑุงุจุท ุงู„ู…ูˆู‚ุน ุงู„ู…ุณุชู‡ุฏู (ู…ุทู„ูˆุจ) |
| `-u, --username` | ุงุณู… ุงู„ู…ุณุชุฎุฏู… ุงู„ู…ุณุชู‡ุฏู ู„ู„ุงุณุชูŠู„ุงุก (ู…ุทู„ูˆุจ) |
| `-e, --email` | ุงู„ุจุฑูŠุฏ ุงู„ุฅู„ูƒุชุฑูˆู†ูŠ ู„ู„ู…ู‡ุงุฌู… ู„ุงุณุชู„ุงู… ุฑุงุจุท ุฅุนุงุฏุฉ ุงู„ุชุนูŠูŠู† (ู…ุทู„ูˆุจ) |
| `-v, --verbose` | ุฅุธู‡ุงุฑ ุงู„ู…ุฎุฑุฌุงุช ุงู„ุชูุตูŠู„ูŠุฉ |
| `--enumerate` | ุชุนุฏุงุฏ ู…ุณุชุฎุฏู…ูŠ WordPress |
| `--batch FILE` | ุงุณุชูŠู„ุงุก ุฌู…ุงุนูŠ ู…ู† ู…ู„ู |
| `--delay SECONDS` | ุชุฃุฎูŠุฑ ุจูŠู† ุงู„ุทู„ุจุงุช (ุงู„ุงูุชุฑุงุถูŠ: 1 ุซุงู†ูŠุฉ) |

---

## ๐Ÿ›ก๏ธ ุงู„ุฅุฌุฑุงุกุงุช ุงู„ุนู„ุงุฌูŠุฉ

ู„ุญู…ุงูŠุฉ ู…ูˆู‚ุนูƒ ู…ู† ู‡ุฐู‡ ุงู„ุซุบุฑุฉุŒ ูŠููˆุตู‰ ุจุงุชุฎุงุฐ ุงู„ุฅุฌุฑุงุกุงุช ุงู„ุชุงู„ูŠุฉ:

1. **ุชุญุฏูŠุซ ุฅุถุงูุฉ Kirki** ุฅู„ู‰ ุฃุญุฏุซ ุฅุตุฏุงุฑ ููˆุฑุงู‹
2. **ุชุนุทูŠู„ ุงู„ุฅุถุงูุฉ** ู…ุคู‚ุชุงู‹ ุฅุฐุง ู„ู… ูŠุชูˆูุฑ ุชุญุฏูŠุซ
3. **ู…ุฑุงุฌุนุฉ ุณุฌู„ุงุช WordPress** ู„ู„ูƒุดู ุนู† ุฃูŠ ู†ุดุงุท ู…ุดุจูˆู‡
4. **ุชุบูŠูŠุฑ ูƒู„ู…ุงุช ู…ุฑูˆุฑ ุฌู…ูŠุน ุงู„ู…ุณุชุฎุฏู…ูŠู†** ูƒุฅุฌุฑุงุก ุงุญุชุฑุงุฒูŠ
5. **ุชูุนูŠู„ ุงู„ู…ุตุงุฏู‚ุฉ ู…ุชุนุฏุฏุฉ ุงู„ุนูˆุงู…ู„ (MFA)** ู„ุฌู…ูŠุน ุงู„ุญุณุงุจุงุช ุงู„ุฅุฏุงุฑูŠุฉ
6. **ุงุณุชุฎุฏุงู… ุฌุฏุงุฑ ุญู…ุงูŠุฉ WordPress** (ู…ุซู„ Wordfence) ู„ู…ู†ุน ุงู„ุทู„ุจุงุช ุงู„ุถุงุฑุฉ
7. **ู…ุฑุงู‚ุจุฉ ู†ู‚ุงุท ู†ู‡ุงูŠุฉ REST API** ุจุญุซุงู‹ ุนู† ุฃูŠ ู†ุดุงุท ุบูŠุฑ ู…ุตุฑุญ ุจู‡

### ุงู„ุฅุฌุฑุงุก ุงู„ูˆู‚ุงุฆูŠ ุนุจุฑ `.htaccess`

```apache

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^.*KirkiComponentLibrary.* [NC]
    RewriteCond %{REQUEST_METHOD} POST
    RewriteRule ^.*$ - [F,L]

```

---

## โš ๏ธ ุฅุฎู„ุงุก ุงู„ู…ุณุคูˆู„ูŠุฉ

ู‡ุฐู‡ ุงู„ุฃุฏุงุฉ ู…ู‚ุฏู…ุฉ ู„ู„ุฃุบุฑุงุถ ุงู„ุชุนู„ูŠู…ูŠุฉ ูˆุงู„ุจุญุซูŠุฉ ูู‚ุท. ุงุณุชุฎุฏุงู… ู‡ุฐู‡ ุงู„ุฃุฏุงุฉ ู„ุงุณุชู‡ุฏุงู ุฃู†ุธู…ุฉ ุจุฏูˆู† ุฅุฐู† ุตุฑูŠุญ ู‡ูˆ ุบูŠุฑ ู‚ุงู†ูˆู†ูŠ ูˆูŠุนุชุจุฑ ุงู†ุชู‡ุงูƒุงู‹ ู„ู„ู‚ูˆุงู†ูŠู† ุงู„ู…ุญู„ูŠุฉ ูˆุงู„ุฏูˆู„ูŠุฉ. ุฃู†ุช ุงู„ู…ุณุคูˆู„ ุงู„ูˆุญูŠุฏ ุนู† ุงุณุชุฎุฏุงู…ูƒ ู„ู‡ุฐู‡ ุงู„ุฃุฏุงุฉ. ุงู„ู…ุณุชุฎุฏู… ูŠุชุญู…ู„ ูƒุงู…ู„ ุงู„ู…ุณุคูˆู„ูŠุฉ ุนู† ุฃูŠ ุนูˆุงู‚ุจ ู‚ุงู†ูˆู†ูŠุฉ ุฃูˆ ุฃุถุฑุงุฑ ู†ุงุชุฌุฉ ุนู† ุณูˆุก ุงู„ุงุณุชุฎุฏุงู….

---



---



# ๐Ÿ‡ฌ๐Ÿ‡ง CVE-2026-8206 - Kirki WordPress Plugin Unauthenticated Account Takeover

## ๐Ÿ“‹ Executive Summary

**CVE-2026-8206** is a critical security vulnerability (CVSS: **9.8 CRITICAL**) found in the **Kirki WordPress Plugin**. This flaw allows **unauthenticated attackers** to perform a complete **account takeover** of any registered WordPress user without requiring any prior authentication or privileges.

The vulnerability exists in the **CompLibFormHandler REST API endpoint**, where attackers can manipulate password reset requests to redirect password reset emails to attacker-controlled email addresses. Once the reset link is intercepted, the attacker can set a new password and gain full access to the compromised account.

| Field | Value |
|-------|-------|
| CVE ID | CVE-2026-8206 |
| CVSS Score | 9.8 (Critical) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Product | WordPress Kirki Plugin |
| Vulnerability Type | Unauthenticated Account Takeover |
| Attack Vector | CompLibFormHandler REST API |
| Impact | Complete Account Takeover |

---

## ๐Ÿ” Vulnerability Details

This vulnerability exploits the password reset mechanism within the Kirki plugin. The plugin exposes a REST API endpoint that processes password reset requests. Due to insufficient authorization checks and lack of ownership verification on this endpoint, an attacker can:

1. **Identify any registered username** on the target WordPress site
2. **Craft a password reset request** to the vulnerable REST API endpoint
3. **Redirect the reset link** to an email address controlled by the attacker
4. **Receive the reset link** and set a new password for the victim's account
5. **Log in** as the compromised user

### Affected Components

- `KirkiComponentLibrary` โ€“ Core component
- `/wp-json/KirkiComponentLibrary/v1/kirki-forgot-password` โ€“ REST API endpoint
- Kirki password reset mechanism

---

## โš™๏ธ Attack Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”     โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚   Attacker      โ”‚     โ”‚  WordPress Site  โ”‚     โ”‚  Attacker Email  โ”‚
โ”‚   (Unauth)      โ”‚     โ”‚  (Kirki Plugin)  โ”‚     โ”‚                  โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜     โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
         โ”‚                       โ”‚                        โ”‚
         โ”‚  1. Scan for Kirki    โ”‚                        โ”‚
         โ”‚  forms & extract nonceโ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  2. POST reset req    โ”‚                        โ”‚
         โ”‚  (username + attacker โ”‚                        โ”‚
         โ”‚   email)              โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  3. Server processes  โ”‚                        โ”‚
         โ”‚  request without auth โ”‚                        โ”‚
         โ”‚  verification         โ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  4. Reset link sent   โ”‚                        โ”‚
         โ”‚  to attacker email    โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  5. Click reset link  โ”‚                        โ”‚
         โ”‚  & set new password   โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
         โ”‚                       โ”‚                        โ”‚
         โ”‚  6. Log in as victim  โ”‚                        โ”‚
         โ”‚  account takeover โœ”   โ”‚                        โ”‚
         โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–บโ”‚                        โ”‚
```

---

## ๐Ÿ› ๏ธ Usage

### Requirements

```bash
pip install requests beautifulsoup4
```

### Single Account Takeover

```bash
python3 CVE-2026-8206.py https://target-site.com -u admin -e attacker@gmail.com
```

### Batch Account Takeover

```bash
python3 CVE-2026-8206.py https://target-site.com -e attacker@gmail.com --batch users.txt
```

### Enumerate Users

```bash
python3 CVE-2026-8206.py https://target-site.com -u admin -e attacker@gmail.com --enumerate
```

### Verbose Output

```bash
python3 CVE-2026-8206.py https://target-site.com -u admin -e attacker@gmail.com -v
```

### Options

| Option | Description |
|--------|-------------|
| `target` | Target WordPress URL (required) |
| `-u, --username` | Target username for takeover (required) |
| `-e, --email` | Attacker email to receive reset link (required) |
| `-v, --verbose` | Enable verbose output |
| `--enumerate` | Enumerate WordPress users |
| `--batch FILE` | Batch exploit from file (one username per line) |
| `--delay SECONDS` | Delay between requests (default: 1) |

---

## ๐Ÿ›ก๏ธ Remediation

To protect your WordPress site from this vulnerability, follow these steps:

1. **Update Kirki Plugin** to the latest patched version immediately
2. **Disable the plugin** temporarily if no patch is available
3. **Review WordPress logs** for any suspicious activity
4. **Reset passwords for all users** as a precautionary measure
5. **Enable Multi-Factor Authentication (MFA)** for all administrative accounts
6. **Deploy a WordPress firewall** (e.g., Wordfence) to block malicious requests
7. **Monitor REST API endpoints** for unauthorized access attempts

### `.htaccess` Mitigation

```apache

    RewriteEngine On
    RewriteCond %{REQUEST_URI} ^.*KirkiComponentLibrary.* [NC]
    RewriteCond %{REQUEST_METHOD} POST
    RewriteRule ^.*$ - [F,L]

```

---

## โš ๏ธ Disclaimer

This tool is provided for **educational and authorized security testing purposes only**. Using this tool against systems without explicit permission is illegal and constitutes a violation of local and international laws. You are solely responsible for your use of this tool. The author assumes no liability for any misuse or damages caused by this tool.

---



### AMN SECURITY Research Team

*Securing the digital world, one vulnerability at a time.*

---