Hackers are exploiting a critical privilege escalation vulnerability (CVE-2026-8206) in the Kirki plugin for WordPress to take over any user account, including those belonging to administrators. [...]
Critical Kirki flaw exploited to hijack WordPress admin accounts
Summary + source link. No paywalls, no tracking.