Skip to main content

Kali Forms Contact Form Drag And Drop Builder

4 CVEs product

Monthly

CVE-2026-11580 MEDIUM POC PATCH This Month

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.

Authentication Bypass WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.5
EPSS
0.1%
CVE-2026-11579 MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-9107 MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-11581 MEDIUM POC PATCH This Month

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.

WordPress Information Disclosure Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
CVSS 3.1
5.9
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

Kali Forms - Contact Form & Drag-and-Drop Builder WordPress plugin before version 2.4.17 allows any authenticated Contributor-level (or higher) user to duplicate arbitrary posts they do not own by exploiting a missing per-object authorization check in the plugin's AJAX post-duplication action. The attacker gains a published copy of the target post under their own ownership and can extract private post metadata, including secrets stored by other Kali Forms instances on the same site. A publicly available proof-of-concept exists per WPScan; the vulnerability is not currently listed in the CISA KEV catalog, though the low privilege bar and default-enabled feature make it an actionable risk on any multi-user WordPress installation running the affected plugin.

Authentication Bypass WordPress Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

Unauthenticated file upload to the WordPress Media Library is possible in Kali Forms - Contact Form & Drag-and-Drop Builder versions before 2.4.17, because the plugin's upload handler accepts file submissions without verifying that a corresponding form with a file-upload field actually exists on the site. Any unauthenticated remote attacker can directly invoke the upload endpoint and deposit files into the Media Library. Impact is bounded by WordPress's core MIME type allowlist, which prevents upload of executable files and thereby rules out code execution; a publicly available proof-of-concept is confirmed by WPScan, and no CISA KEV listing is present at time of analysis.

File Upload RCE WordPress +1
NVD WPScan VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the Kali Forms WordPress plugin (versions up to and including 2.4.13) allows authenticated attackers with contributor-level access to inject persistent malicious scripts via the 'meta[kaliforms_field_components]' parameter. Any WordPress user who subsequently visits a page containing the injected form will execute the attacker's script in their browser, making session hijacking, credential theft, and admin account takeover realistic outcomes. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low privilege bar (contributor) makes this a realistic risk on multi-author WordPress sites.

WordPress XSS Kali Forms Contact Form Drag And Drop Builder
NVD
EPSS 0% CVSS 5.9
MEDIUM POC PATCH This Month

Stored cross-site scripting in the Kali Forms WordPress plugin (before 2.4.13) allows Contributor-level users to inject arbitrary JavaScript into form field captions, which execute in an administrator's browser session when the admin views the form-entries screen. A compounding missing capability check in the plugin's post-duplication action enables the same low-privilege attacker to publish the malicious form without administrator approval, removing the dependency on an admin independently discovering the unpublished form. A publicly available exploit (via WPScan) exists, and the plugin vendor has released a patch in version 2.4.13. No CISA KEV listing is present, indicating no confirmed mass exploitation at time of analysis.

WordPress Information Disclosure Kali Forms Contact Form Drag And Drop Builder
NVD WPScan VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy