CVE-2026-15457
Description
The Kirki โ Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
References
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/app/Http/Controllers/Api/GlobalDataController.php#L105
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/app/Services/FontService.php#L157
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/includes/Ajax/Media.php#L996
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/routes/api.php#L74
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/app/Http/Controllers/Api/GlobalDataController.php#L105
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/app/Services/FontService.php#L157
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/includes/Ajax/Media.php#L996
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/routes/api.php#L74
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3608888%40kirki&new=3608888%40kirki
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01a52285-2d0c-4b29-8dab-18a3e3640e5c?source=cve
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.