The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID.
References
Configurations
No configuration.
History
02 Jul 2026, 10:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-02 10:16
Updated : 2026-07-02 13:58
NVD link : CVE-2026-12122
Mitre link : CVE-2026-12122
CVE.ORG link : CVE-2026-12122
JSON object : View
Products Affected
No product.
CWE
CWE-862
Missing Authorization
