CVE-2026-12122

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID.
Configurations

No configuration.

History

02 Jul 2026, 10:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-02 10:16

Updated : 2026-07-02 13:58


NVD link : CVE-2026-12122

Mitre link : CVE-2026-12122

CVE.ORG link : CVE-2026-12122


JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization