If you use Kirki, update it now. A newly disclosed flaw could let an attacker take over WordPress user accounts, including administrator accounts, on vulnerable sites.
Kirki flaw could hand your admin account to an attacker
Wordfence disclosed an unauthenticated privilege escalation flaw in the Kirki plugin. In plain English, that means someone did not need to log in before trying to gain higher access on the site.
The bug sat in the plugin’s password reset flow. Wordfence says an attacker could change where the password reset email went, send that reset link to an email address they controlled, and then take over any user account they chose. That includes administrator accounts.
This issue affects sites that use the Kirki plugin and run versions in the 6.0 release line before the fix. Wordfence says the bug first appeared in the 6.0 major release, so sites on versions older than 6.0 do not face this specific problem. The plugin has more than 500,000 active installs, but Wordfence estimates about 150,000 sites actually ran a vulnerable version.
Update Kirki to the latest version now, then review your user list for unknown admins and reset passwords for administrator accounts if anything looks off.
End of article