Skip to main content

Kali Forms CVE-2026-15395

| EUVDEUVD-2026-45130 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-17 Wordfence
7.2
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Unauthenticated network stored XSS with public nonce (PR:N/AC:L); scope changes to the victim browser (S:C) with limited confidentiality/integrity and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 04:21 vuln.today
CVE Published
Jul 17, 2026 - 02:31 cve.org
HIGH 7.2

DescriptionNVD

The Kali Forms - Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The required form-submission nonce is publicly available on any page containing the form shortcode, making this exploitable by fully unauthenticated attackers without any precondition beyond the form being published.

AnalysisAI

Stored cross-site scripting in the Kali Forms - Contact Form & Drag-and-Drop Builder plugin for WordPress (all versions through 2.4.18) lets fully unauthenticated attackers persist arbitrary JavaScript through the form's 'digitalSignature' field value, which is neither sanitized on input nor escaped on output. Because the form-submission nonce is exposed on any page rendering the form shortcode, the normal anti-CSRF barrier provides no protection, and the injected script executes in the browser of any user (including administrators) who later views the affected page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate page with Kali Forms shortcode
Delivery
Scrape public submission nonce
Exploit
Submit digitalSignature field with script payload
Execution
Value stored unsanitized
Persist
Admin or visitor views injected page
Impact
Script executes, hijack session or forge actions

Vulnerability AssessmentAI

Exploitation The target WordPress site must have a Kali Forms form published via the form shortcode that includes a 'digitalSignature' field, which is the exact injectable sink. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) describes a remotely reachable, low-complexity, unauthenticated injection requiring no attacker-side user interaction, and the description confirms this is realistic because the required submission nonce is publicly retrievable from the shortcode-bearing page, removing the usual practical hurdle. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crawls WordPress sites for pages containing a Kali Forms shortcode with a digitalSignature field, scrapes the publicly embedded submission nonce from that page, and submits the form with a script payload as the signature value. When a site administrator or visitor later opens the page that renders the stored submission, the injected JavaScript runs in their session, enabling session/cookie theft, forged admin actions, or redirection. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the fix is present in the WordPress plugin repository changeset 3609303 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3609303%40kali-forms&new=3609303%40kali-forms), but the input data does not state an exact tagged release, so administrators should update Kali Forms to the latest available version above 2.4.18 and verify the version string against the Wordfence advisory rather than assuming a specific number. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all WordPress installations for Kali Forms through version 2.4.18 using vulnerability scanning tools, immediately disable the plugin across affected sites, and deploy Web Application Firewall rules blocking POST submissions to form endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy