A newly disclosed vulnerability in Kirki, a WordPress customizer framework installed on more than 500,000 sites, lets an unauthenticated attacker send phishing email through a site’s own outbound mail server. No stolen credentials, no spoofed sender, no third-party sending service to abuse. The message is generated and sent by the legitimate site itself, which means it inherits that site’s real SPF alignment, real DKIM signature, and a clean DMARC pass, because nothing about the authentication layer is being tricked. The mail genuinely did come from where it says it came from.
What CVE-2026-12472 Actually Does
Kirki provides the “Customizer” experience many WordPress themes rely on for live-preview design controls, and it includes a notification feature that emails site users through interface elements the plugin calls “chips.” The flaw, tracked as CVE-2026-12472, is an authorization bypass: the plugin fails to verify that the request triggering one of these emails is coming from someone entitled to send it. In all versions up to and including 6.0.11, an unauthenticated attacker can call the underlying endpoint directly and control both the subject and body of the resulting message.
The subject line passes through sanitize_text_field(), a thin filter that strips some formatting but does nothing to stop convincing social-engineering text. The body is worse: the “text” items inside emailBody are concatenated directly into the HTML email with no escaping at all, giving the attacker raw HTML injection inside a message the recipient’s own site is about to send them. Most damaging of all, the “chip” items in that same body can include a genuine, valid WordPress password-reset link for the specific account the attacker targets. The result is a phishing email that looks, authenticates, and functions exactly like a real password-reset notification from a site the recipient already trusts, because it is one.
A Different Failure Mode Than Stolen Credentials
Readers of this blog may recall our coverage of CVE-2026-4020 in the Gravity SMTP plugin last month, where attackers extracted a site’s stored email service provider API keys and sent mail through the victim’s own ESP account. That was a credential theft problem: the attacker obtained real keys and used real infrastructure that was not theirs to use.
CVE-2026-12472 is a different animal. There is no credential to steal, because the attacker never needs one. The vulnerable code path is part of the site’s own application logic, running on the site’s own server, calling the site’s own wp_mail() function exactly as it would for a legitimate password-reset request. The only thing broken is the authorization check that should have confirmed the request was allowed in the first place. Everything downstream of that missing check, the mail transport, the DKIM signing, the SPF-aligned sending IP, is completely legitimate. That is precisely what makes it dangerous.
Where DMARC Has Nothing to Add
This case draws the line around DMARC’s scope more sharply than most. DMARC, SPF, and DKIM exist to answer one question: did this message travel through infrastructure the domain owner authorized to send on their behalf? For a message generated by CVE-2026-12472, the honest answer is yes. The domain’s real mail server sent it. The domain’s real DKIM key signed it. The domain’s real SPF record covers the sending IP. A receiving mailbox provider evaluating this message against the domain’s DMARC policy will record a pass, because by every measure DMARC checks, the message qualifies as legitimate.
DMARC aggregate reports will not flag this either. Aggregate reports summarize authentication pass and fail rates by sending source; they say nothing about whether the content of a passing message was authorized by the site owner or injected by an anonymous attacker exploiting a broken permission check. A domain can sit at p=reject with a perfect authentication record and still deliver a phishing email to a real customer, because the vulnerability lives in application logic that DMARC was never built to inspect.
What Site Owners Need to Do
Update Kirki now. The authorization bypass is patched in the current release; any site running 6.0.11 or earlier is exposed. Given that Kirki has also carried a critical unauthenticated account-takeover flaw (CVE-2026-8206, CVSS 9.8, patched in 6.0.7) and a separate unauthenticated SSRF issue patched in 6.0.12, sites that have not updated recently are likely carrying more than one active exposure at once.
Check your update history, not just your current version. Roughly 150,000 of Kirki’s 500,000-plus installs were still running vulnerable code when the account-takeover flaw was disclosed in June. A plugin this widely deployed, on a cadence of successive critical patches, is a strong candidate for automatic updates rather than manual review cycles that slip.
Audit outbound mail logs for anomalous password-reset traffic. Because this abuse passes every authentication check, log-based detection has to look at behavior instead: password-reset emails triggered without a corresponding reset request from the account owner, unusual bursts of outbound mail from a single site in a short window, or reset links generated for accounts that never asked for them.
Treat plugin-level mail-sending code as part of your attack surface. Any WordPress plugin that calls wp_mail() on a user’s behalf, whether for notifications, password resets, or marketing triggers, is a potential channel for this exact pattern. Reviewing which plugins can generate outbound mail, and confirming each one properly checks authorization before doing so, closes a class of vulnerability that DMARC enforcement alone cannot touch.
The Takeaway
Full DMARC enforcement remains the correct baseline for every domain, and it still stops the far more common case of an outsider forging your From header with no access to your systems at all. But CVE-2026-12472 is a reminder that authentication passing is not the same as a message being trustworthy. When the vulnerability sits inside the application that is authorized to send, DMARC will wave the resulting phishing straight through, and defenders have to look at what triggered the send, not just where it came from.
Excello Mail gives you continuous visibility into your DMARC aggregate reports and sending sources, so you can see exactly what is authenticating as your domain and act fast when something looks wrong. Sign up for free to Excello Mail to keep that visibility in place while your team closes gaps like this one.