Home

Description

The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

PUBLISHED Reserved 2026-03-05 | Published 2026-03-20 | Updated 2026-04-08 | Assigner Wordfence




CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version
affected

Timeline

2026-03-05:Vendor Notified
2026-03-20:Disclosed

Credits

ISMAILSHADOW finder

References

www.wordfence.com/...-c064-49fd-b3fa-505a5a0c2e0b?source=cve

plugins.trac.wordpress.org/...ntend/class-form-processor.php

plugins.trac.wordpress.org/changeset/3487024/kali-forms

cve.org (CVE-2026-3584)

nvd.nist.gov (CVE-2026-3584)

Download JSON