Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated network stored XSS with public nonce (PR:N/AC:L); scope changes to the victim browser (S:C) with limited confidentiality/integrity and no availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Kali Forms - Contact Form & Drag-and-Drop Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'digitalSignature' Field Value in all versions up to, and including, 2.4.18 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The required form-submission nonce is publicly available on any page containing the form shortcode, making this exploitable by fully unauthenticated attackers without any precondition beyond the form being published.
AnalysisAI
Stored cross-site scripting in the Kali Forms - Contact Form & Drag-and-Drop Builder plugin for WordPress (all versions through 2.4.18) lets fully unauthenticated attackers persist arbitrary JavaScript through the form's 'digitalSignature' field value, which is neither sanitized on input nor escaped on output. Because the form-submission nonce is exposed on any page rendering the form shortcode, the normal anti-CSRF barrier provides no protection, and the injected script executes in the browser of any user (including administrators) who later views the affected page. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target WordPress site must have a Kali Forms form published via the form shortcode that includes a 'digitalSignature' field, which is the exact injectable sink. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, base 7.2 High) describes a remotely reachable, low-complexity, unauthenticated injection requiring no attacker-side user interaction, and the description confirms this is realistic because the required submission nonce is publicly retrievable from the shortcode-bearing page, removing the usual practical hurdle. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crawls WordPress sites for pages containing a Kali Forms shortcode with a digitalSignature field, scrapes the publicly embedded submission nonce from that page, and submits the form with a script payload as the signature value. When a site administrator or visitor later opens the page that renders the stored submission, the injected JavaScript runs in their session, enabling session/cookie theft, forged admin actions, or redirection. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - the fix is present in the WordPress plugin repository changeset 3609303 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3609303%40kali-forms&new=3609303%40kali-forms), but the input data does not state an exact tagged release, so administrators should update Kali Forms to the latest available version above 2.4.18 and verify the version string against the Wordfence advisory rather than assuming a specific number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: audit all WordPress installations for Kali Forms through version 2.4.18 using vulnerability scanning tools, immediately disable the plugin across affected sites, and deploy Web Application Firewall rules blocking POST submissions to form endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject
Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contri
Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Buil
Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticate
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45130
GHSA-mjg8-2mjg-9rwc