Skip to main content

Kali Forms CVE-2026-11580

| EUVDEUVD-2026-44593 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-15 WPScan GHSA-mg5f-qx7f-gf9j
5.5
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.5 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

Contributor access is PR:L in WordPress; AJAX endpoint is network-reachable with no interaction; C:H reflects secret metadata exfiltration, I:L reflects unauthorized post publication.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 15, 2026 - 11:23 vuln.today
CVSS changed
Jul 15, 2026 - 11:22 NVD
5.5 (MEDIUM)
Patch available
Jul 15, 2026 - 07:02 EUVD
CVE Published
Jul 15, 2026 - 06:00 cve.org
MEDIUM 5.5
CVE Published
Jul 15, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not perform a per-object capability check in its post-duplication AJAX action, allowing users with Contributor-level access or above to duplicate any post (regardless of owner, post type, or status) into a published post they own and read its private post metadata, including secrets stored by other Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17.

AnalysisAI

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WordPress Contributor account
Delivery
Send crafted AJAX request to duplication endpoint
Exploit
Supply arbitrary target post ID
Execution
Plugin duplicates post without per-object authorization check
Impact
Read private metadata and secrets from published duplicate

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account with at minimum Contributor-level access on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-provided CVSS vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:N scores 5.5 (Medium), but this vector contains a significant discrepancy: it assigns PR:H (high privilege), whereas the CVE description explicitly states that Contributor-level access or above is sufficient. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A publicly available proof-of-concept exists per WPScan. An attacker with a Contributor account on a WordPress site - such as a guest blogger or external content contributor - sends a crafted AJAX request to the Kali Forms post-duplication endpoint with the ID of a private post or form belonging to another user. …
Remediation Upgrade the Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin to version 2.4.17 or later, which introduces the missing per-object capability check in the AJAX post-duplication handler. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11580 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy