CVE-2026-15457
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 6.0.13 via the 'family' parameter. This makes it possible for authenticated attackers, with editor-level access and above, to delete arbitrary directories on the server, which can result in loss of data and availability.
Impact
Base Score 3.x
4.90
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/app/Http/Controllers/Api/GlobalDataController.php#L105
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/app/Services/FontService.php#L157
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/includes/Ajax/Media.php#L996
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.12/routes/api.php#L74
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/app/Http/Controllers/Api/GlobalDataController.php#L105
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/app/Services/FontService.php#L157
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/includes/Ajax/Media.php#L996
- https://plugins.trac.wordpress.org/browser/kirki/tags/6.0.13/routes/api.php#L74
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3608888%40kirki&new=3608888%40kirki
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01a52285-2d0c-4b29-8dab-18a3e3640e5c?source=cve



