Volerion logoVolerion
Volerion logoVolerion

Kirki WordPress Plugin Arbitrary File Deletion Vulnerability

Vulnerability

A vulnerability allowing arbitrary file deletion has been identified in the Kirki WordPress plugin, specifically in versions through 6.0.6. This issue arises from inadequate file path validation and the absence of necessary capability checks in the 'downloadZIP' function. As a result, unauthenticated attackers can read and delete arbitrary files, albeit with limitations, within the WordPress uploads directory.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of files in the WordPress uploads directory, which could lead to loss of important data or disruption of website functionality.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress REST API with the 'page-export' parameter set to 'true' and the 'file-name' parameter specifying the name of the file to be deleted. The 'downloadZIP' function will be triggered, bypassing file type validation and capability checks, allowing for arbitrary file deletion.

Remediation

Users are advised to update the Kirki WordPress plugin to version 6.0.7 or a newer patched version.

Added: May 19, 2026, 7:36 PM
Updated: May 19, 2026, 7:36 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
1.3
exploitability
8.4
remediation
0.0
relevance
8.8
threat
4.8
urgency
2.9
incentive
4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.