CVE-2026-12122
MediumCVSS 5.3Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
The Kirki plugin for WordPress up to version 6.0.11 is vulnerable to sensitive information exposure via the get_single_symbol function. Unauthenticated attackers can extract full builder metadata and rendered HTML of any kirki_symbol post, including unpublished drafts, by supplying a sequential WordPress post ID.
Risk Assessment
The risk involves potential theft of confidential design data, such as unpublished layouts and content, which could lead to business information leakage or privacy breaches.
Recommendation
It is recommended to immediately update the Kirki plugin to the latest available version that fixes this vulnerability. If an update is not possible, temporarily disable the plugin.
Original NVD description (English source)
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.11 via the get_single_symbol. This makes it possible for unauthenticated attackers to extract the full builder metadata and rendered HTML of any kirki_symbol post — including unpublished drafts — by supplying a sequential WordPress post ID.

