CyberRota
← Ana sayfaya dön

CVE-2026-12472

MEDIUM · CVSS 5.3 EPSS %0.49

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-02T10:16:27.653 · Çekilme zamanı: 2026-07-02T18:28:03.000305+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-12472
Severity
MEDIUM
CVSS
5.3
EPSS
%0.49
WordPress

Orijinal NVD Açıklaması

The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.11. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to send arbitrary HTML-injected emails — including phishing messages embedding a real, valid WordPress password-reset URL for the targeted user — to any registered user via the site's own mail server, abusing its SPF/DKIM reputation. The attacker-controlled emailSubject parameter is passed to wp_mail() with only sanitize_text_field() applied, while emailBody 'text' items are concatenated raw into the HTML email body with no escaping, and 'chip' items can include the genuine WordPress password-reset link for the targeted account.