Cyber Posture

CVE-2026-8073

High
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 19 May 2026

Published
19 May 2026
Modified
19 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0009 25.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-8073 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked at the 25.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

NVD Description

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including,…

more

6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-23

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

References