Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Contributor access is PR:L in WordPress; AJAX endpoint is network-reachable with no interaction; C:H reflects secret metadata exfiltration, I:L reflects unauthorized post publication.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.
AnalysisAI
Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account with at minimum Contributor-level access on the target site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-provided CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N scores 5.5 (Medium), but this vector contains a significant discrepancy: it assigns PR:H (high privilege), whereas the CVE description explicitly states that Contributor-level access or above is sufficient. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A publicly available proof-of-concept exists per WPScan. An attacker with a Contributor account on a WordPress site - such as a guest blogger or external content contributor - sends a crafted AJAX request to the Kali Forms post-duplication endpoint with the ID of a private post or form belonging to another user. … |
| Remediation | Upgrade the Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin to version 2.4.17 or later, which introduces the missing per-object capability check in the AJAX post-duplication handler. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject
Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Buil
Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticate
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44593
GHSA-mg5f-qx7f-gf9j