CVE-2026-15457
Received Received - Intake

Directory Traversal in Kirki WordPress Plugin

Vulnerability report for CVE-2026-15457, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Wordfence

Description

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
kirki freeform_page_builder to 6.0.13 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The Kirki plugin for WordPress has a Directory Traversal vulnerability in versions up to 6.0.13. This flaw allows authenticated attackers with editor-level access or higher to delete arbitrary directories on the server by exploiting the 'family' parameter. This can lead to data loss and reduced system availability.

Detection Guidance

To detect this vulnerability, check for unauthorized directory deletions or suspicious activity in server logs. Look for requests to the 'family' parameter in the Kirki plugin with unusual paths. Review WordPress user roles for unauthorized editor-level access.

Impact Analysis

If you use the vulnerable Kirki plugin, an attacker with editor access could delete important files or directories on your server. This may cause website downtime, loss of critical data, or disruption of services, affecting your business operations.

Compliance Impact

This vulnerability could lead to unauthorized data deletion, potentially violating GDPR's integrity principle or HIPAA's availability requirements. Compliance may be impacted if sensitive data is lost or systems become unavailable due to the attack.

Mitigation Strategies

Immediately update the Kirki plugin to the latest version beyond 6.0.13. Remove editor-level access for users who don't require it. Monitor server directories for unauthorized changes and restrict file deletion permissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart