Description
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Published: 2026-03-20
Score: 9.8 Critical
EPSS: 20.8% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The Kali Forms plugin for WordPress contains a flaw in the form_process routine where user supplied data is mapped directly to internal placeholders and later executed via call_user_func, enabling the execution of arbitrary code on the server without authentication.

Affected Systems

This vulnerability affects WordPress installations using the Kali Forms plugin by wpchill, specifically versions 2.4.9 and earlier.

Risk and Exploitability

The CVSS base score is 9.8, indicating critical severity, and the EPSS score of 21% indicates a significant likelihood of exploitation, the lack of KEV listing does not mitigate the fact that unauthenticated attackers can submit malicious input through the form processing endpoint to achieve full application compromise. The likely attack vector is a remotely crafted HTTP request to the form_process URL with controlled parameters.

Generated by OpenCVE AI on April 22, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Kali Forms to the latest release that fixes the vulnerable code (any version newer than 2.4.9).
  • If an immediate update is not feasible, disable or remove the Kali Forms plugin to eliminate the risk.
  • Verify that no custom form processing code remains in the theme that could re‑introduce the vulnerability.
  • After applying the fix or removal, monitor the site for any unauthorized activity.

Generated by OpenCVE AI on April 22, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpchill
Wpchill kali Forms — Contact Form & Drag-and-drop Builder
Vendors & Products Wordpress
Wordpress wordpress
Wpchill
Wpchill kali Forms — Contact Form & Drag-and-drop Builder

Fri, 20 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Title Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Wpchill Kali Forms — Contact Form & Drag-and-drop Builder
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:59:18.586Z

Reserved: 2026-03-05T05:20:57.880Z

Link: CVE-2026-3584

cve-icon Vulnrichment

Updated: 2026-03-23T16:51:32.295Z

cve-icon NVD

Status : Deferred

Published: 2026-03-20T22:16:29.267

Modified: 2026-04-22T21:32:08.360

Link: CVE-2026-3584

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:30:20Z

Weaknesses