Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-reachable endpoint requires no authentication or user interaction; integrity impact is low as WordPress's MIME allowlist caps uploads to safe file types, with no confidentiality or availability impact.
Primary rating from Vendor (WPScan).
CVSS VectorVendor: WPScan
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
5DescriptionCVE.org
The Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before 2.4.17 does not verify that a file upload is made against an existing form configured with a file-upload field, accepting uploads regardless of whether any such form exists, which allows unauthenticated users to upload files to the WordPress Media Library; the uploads are limited to WordPress's default-allowed MIME types, so this does not lead to code execution.
AnalysisAI
Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required to trigger the upload - the CVSS vector AV:N/AC:L/PR:N/UI:N confirms remote unauthenticated exploitation against any WordPress installation with the Kali Forms plugin installed and active on a version below 2.4.17, regardless of whether any contact form has ever been created or published on the site. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.3 Medium with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker, using the publicly available WPScan proof-of-concept, sends a crafted HTTP POST request directly to the Kali Forms file upload endpoint on any WordPress site running a vulnerable plugin version, without supplying any valid form ID or session context. The server accepts the request and stores the submitted file - for example, a deceptive image or a malicious PDF designed to exploit document readers - directly in the WordPress Media Library, from which it becomes publicly accessible via a predictable URL for use in phishing or content injection campaigns. |
| Remediation | Update the Kali Forms plugin to version 2.4.17 or later, which introduces the missing server-side validation ensuring file uploads are only accepted when the request corresponds to an existing, properly configured form that includes a file-upload field. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject
Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contri
Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticate
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44592
GHSA-56gf-mrhh-4cwv