Skip to main content

Kali Forms CVE-2026-11581

| EUVDEUVD-2026-40261 MEDIUM
2026-06-30 WPScan GHSA-6gcj-mc56-7jf5
5.9
CVSS 3.1 · Vendor: WPScan
Share

Severity by source

Vendor (WPScan) PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L reflects Contributor-level sufficiency per description; S:C and UI:R capture admin-session XSS; A:N as no availability impact is described.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Generated
Jun 30, 2026 - 13:24 vuln.today
CVSS changed
Jun 30, 2026 - 13:22 NVD
5.9 (MEDIUM)
Patch available
Jun 30, 2026 - 08:01 EUVD
CVE Published
Jun 30, 2026 - 06:00 cve.org
UNKNOWN (no severity yet)
CVE Published
Jun 30, 2026 - 06:00 cve.org
MEDIUM 5.9

DescriptionCVE.org

The Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13 does not sanitise a form field's caption before outputting it as a column header on the administrator form-entries screen, allowing users with Contributor-level access or above to store JavaScript that executes in an administrator's session. A missing capability check in the Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.13's post-duplication action additionally lets the Contributor publish the malicious form so an administrator renders it.

AnalysisAI

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Contributor-level WordPress account
Delivery
Create Kali Forms form with XSS payload in field caption
Exploit
Exploit missing capability check to publish form without admin approval
Execution
Wait for administrator to view form-entries admin screen
Persist
Stored JavaScript executes in admin browser session
Impact
Exfiltrate session credentials or perform admin-level actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess at minimum a WordPress Contributor-level account on the target installation - this is the critical prerequisite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L scoring 5.9, but PR:H (High Privileges) appears inconsistent with the description, which explicitly names Contributor-level access as sufficient - Contributors are low-privilege WordPress users, not high-privilege operators. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a Contributor account on the target WordPress site creates a new Kali Forms contact form and injects a JavaScript payload (e.g., a session cookie exfiltration script) into a form field's caption. The attacker then invokes the plugin's post-duplication action - which lacks a proper capability check - to publish the form without administrator approval. …
Remediation The primary fix is to update the Kali Forms plugin to version 2.4.13 or later, which addresses both the missing output sanitization on field captions and the missing capability check on the post-duplication action. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy