Threat Entry Updated 2026-03-23

CVE-2026-3584 - Kali Forms Plugin

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

PLUGIN Kali Forms

CVE-2026-3584

CRITICAL CVSS 9.8 2026-03-20

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1860 - Kali Forms Plugin

The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google…

PLUGIN Kali Forms

CVE-2026-1860

MEDIUM CVSS 4.3 2026-02-18

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-05-27

CVE-2025-3201 - Kali Forms Plugin

The Contact Form builder with drag & drop for WordPress WordPress plugin before 2.4.3 does not sanitise and escape some of its settings, which could allow high privilege users such as contributors to perform Stored Cross-Site Scripting attacks.

PLUGIN Kali Forms

CVE-2025-3201

MEDIUM CVSS 5.9 2025-05-16

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-19

CVE-2024-1218 - Kali Forms Plugin

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with contributor access and higher, to obtain access to or modify forms or entries.

PLUGIN Kali Forms

CVE-2024-1218

MEDIUM CVSS 4.3 2024-02-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-01-19

CVE-2024-1217 - Kali Forms Plugin

The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.

PLUGIN Kali Forms

CVE-2024-1217

HIGH CVSS 7.6 2024-02-29

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-11-21

CVE-2024-22305 - Kali Forms Plugin

Authorization Bypass Through User-Controlled Key vulnerability in ali Forms Contact Form builder with drag & drop for WordPress – Kali Forms.This issue affects Contact Form builder with drag & drop for WordPress – Kali Forms: from n/a through 2.3.36.

PLUGIN Kali Forms

CVE-2024-22305

HIGH CVSS 7.5 2024-01-31

Risk Score

Open Full Technical Breakdown