CVE-2026-57680
Deferred Deferred - Pending Action

Unauthenticated IDOR in Kirki <= 6.0.11

Vulnerability report for CVE-2026-57680, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: Patchstack

Description

Unauthenticated Insecure Direct Object References (IDOR) in Kirki <= 6.0.11 versions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wordpress kirki to 6.0.12 (exc)
aristath kirki 6.0.11

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The WordPress Kirki Plugin versions 6.0.11 and earlier contain an Insecure Direct Object References (IDOR) vulnerability. This flaw allows unauthenticated attackers to bypass authorization controls and gain access to sensitive files, folders, or interact with the database improperly. Essentially, attackers can exploit improper access controls to access resources they should not be able to.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data or system components without any authentication. Attackers can exploit this to access or manipulate files and database contents, potentially compromising the integrity and availability of your website. It is expected to be targeted in mass-exploit campaigns, which could affect thousands of websites regardless of their size or popularity.

Detection Guidance

This vulnerability allows unauthenticated attackers to bypass authorization and access sensitive files, folders, or interact with the database by exploiting improper access controls in the Kirki WordPress plugin versions 6.0.11 and earlier.

Patchstack has provided a mitigation rule to block attacks until the plugin is updated, which implies that detection can be done by monitoring for attempts to exploit this IDOR vulnerability using such rules.

However, no specific commands or detection methods are provided in the available resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Kirki WordPress plugin to version 6.0.12 or later, which contains the patch that resolves the issue.

If updating immediately is not possible, users are advised to seek assistance from their hosting providers or developers.

Additionally, applying the mitigation rule provided by Patchstack to block attacks targeting this vulnerability can help protect the system until the update is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57680. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart