Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
PR:L reflects Contributor-level sufficiency per description; S:C and UI:R capture admin-session XSS; A:N as no availability impact is described.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
The Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.
AnalysisAI
Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess at minimum a WordPress Contributor-level account on the target installation - this is the critical prerequisite. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L scoring 5.9, but PR:H (High Privileges) appears inconsistent with the description, which explicitly names Contributor-level access as sufficient - Contributors are low-privilege WordPress users, not high-privilege operators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a Contributor account on the target WordPress site creates a new Kali Forms contact form and injects a JavaScript payload (e.g., a session cookie exfiltration script) into a form field's caption. The attacker then invokes the plugin's post-duplication action - which lacks a proper capability check - to publish the form without administrator approval. … |
| Remediation | The primary fix is to update the Kali Forms plugin to version 2.4.13 or later, which addresses both the missing output sanitization on field captions and the missing capability check on the post-duplication action. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contri
Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Buil
Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticate
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40261
GHSA-6gcj-mc56-7jf5