External risk intelligence

Kirki PHP Object Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-57724

This vulnerability affects a WordPress plugin. WordPress plugins are commonly deployed as part of public-facing web applications, making the attack surface reachable via the internet in standard deployments.

Deserialization

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Kirki WordPress plugin, stemming from a flaw in how it handles untrusted data, potentially allowing for code injection. This type of issue could enable unauthorized access and manipulation of systems if exploited. The primary concern at this time is to confirm whether this specific plugin and version are in use within the organization's environment.

  • Data handling flaw in a WordPress plugin.
  • Critical risk; potential for unauthorized system access.
  • Confirm relevance and exposure within our environment.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted data over the network to a vulnerable installation of the Kirki WordPress plugin. This data, when processed by the plugin's deserialization function, can lead to the injection of malicious objects. If successful, this could allow an attacker to execute arbitrary code or take other harmful actions on the affected website.

  • Entry condition: Network exposure.
  • Trigger point: Deserialization of untrusted data.
  • Resulting risk: Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to inject malicious objects into a system that uses the Kirki WordPress plugin, potentially leading to the execution of arbitrary code. This could impact the integrity and availability of the affected website or application.

  • Plugin's internal data structures.
  • Via crafted user input in supported conditions.
  • Potential for unauthorized code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Kirki WordPress plugin likely impacts application owners and platform teams responsible for maintaining the WordPress environment. The first practical step is to identify all instances of the Kirki plugin, determine their exposure, and confirm ownership before planning remediation.

  • Application owners should prioritize this.
  • Verify Kirki plugin exposure and criticality.
  • Plan coordinated remediation and vendor engagement.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Kirki plugin for WordPress?

Kirki is a widely used toolkit for WordPress theme developers. It acts as a framework that simplifies the process of creating customizer controls, allowing themes to offer advanced design settings and options to site administrators through a unified interface.

How does CVE-2026-57724 create a security risk?

This vulnerability is classified as Deserialization of Untrusted Data (CWE-502). It happens when the plugin processes data from an untrusted source without proper validation. By injecting a malicious object during this process, an attacker could manipulate the application's logic or potentially execute unauthorized code.

Do I need to be logged in for this bug to trigger?

No, this vulnerability does not require authentication. An attacker can attempt to trigger it by sending specifically crafted network requests to the target website. The bug occurs when the plugin's deserialization function processes this malicious input; it is not triggered by standard, legitimate user interactions.

Why is this CVE considered relevant for my website?

According to Halo Surface Signal, this plugin is frequently used in public-facing WordPress sites. Because the attack vector is network-based, any installation of Kirki that is accessible from the internet faces a higher risk of being targeted by external actors.

What should I do first if I use the Kirki plugin?

Start by performing an inventory to identify every instance of the Kirki plugin within your WordPress environments. Once identified, verify which sites are using versions 6.0.12 or older. After assessing your footprint, coordinate with your platform team to prepare for updates or vendor-provided patches.

References