Description
The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure via Insecure Direct Object Reference
Action: Patch
AI Analysis

Impact

The vulnerability allows an authenticated user with Contributor or higher privileges to enumerate form identifiers and read the configuration of any form via the /kaliforms/v1/forms/{id} REST endpoint. The permission check only verifies that the user can edit posts and does not confirm ownership, enabling disclosure of form field structures, Google reCAPTCHA secret keys, email notification templates, and server paths. This insecure direct object reference flaw, identified as CWE‑862, permits the exposure of sensitive configuration data.

Affected Systems

WordPress sites running the Kali Forms plugin, version 2.4.8 or earlier. This includes all deployments of the “wpchill:Kali Forms — Contact Form & Drag-and-Drop Builder” plugin up to the mentioned release.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate risk; the EPSS score is below 1%, implying the exploitation probability is low at present. The likely attack vector is via the REST API, where an attacker with Contributor-level access enumerates form IDs and retrieves sensitive data. No additional prerequisites beyond appropriate WordPress role permissions are mentioned in the description.

Generated by OpenCVE AI on April 16, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Kali Forms plugin to the latest version that includes ownership checks on the REST endpoint.
  • Restrict or disable access to the /kaliforms/v1/forms/{id} endpoint for non-administrative roles, otherwise add a custom capability check that verifies the form owner before returning data.
  • Review existing forms for exposed keys and sensitive configuration, and remove or secure any sensitive data stored in form fields such as reCAPTCHA secrets.

Generated by OpenCVE AI on April 16, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill kali Forms — Contact Form & Drag-and-drop Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill kali Forms — Contact Form & Drag-and-drop Builder

Wed, 18 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has ownership or authorization over the specific form resource. This makes it possible for authenticated attackers, with Contributor-level access and above, to read form configuration data belonging to other users (including administrators) by enumerating form IDs. Exposed data includes form field structures, Google reCAPTCHA secret keys (if configured), email notification templates, and server paths.
Title Kali Forms <= 2.4.8 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Form Data Exposure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
Wpchill Kali Forms — Contact Form & Drag-and-drop Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:12:24.047Z

Reserved: 2026-02-03T20:24:41.080Z

Link: CVE-2026-1860

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:05.001Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T08:16:15.043

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses