CVE-2024-1217
published 2024-02-29CVE-2024-1217: The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing…
PriorityP421medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
EPSS
0.31%
22.2th percentile
The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| kaliforms | contact_form_builder | < 2.3.42 | 2.3.42 |
| wpchill | kali_forms_contact_form_drag-and-drop_builder | <= 2.3.41 | — |
CVSS provenance
nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv9.2CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
php7.4, php8.1, php8.3 vulnerabilities
osv·2025-03-31·CVSS 9.2
CVE-2024-11235 php7.4, php8.1, php8.3 vulnerabilities
php7.4, php8.1, php8.3 vulnerabilities
It was discovered that PHP incorrectly handle certain inputs.
An attacker could possibly use this issue to cause a crash or
execute arbitrary code. (CVE-2024-11235)
It was discovered that PHP incorrectly handle certain folded headers.
An attacker could possibly use this issue to cause a crash or
execute arbritrary code. (CVE-2025-1217)
It was discovered that PHP incorrectly handled certain headers.
An attacker could possibly use this issue to expose sensitive information
or execute arbitrary code. This issue only affected Ubuntu 22.04 LTS
Ubuntu 24.10, and Ubuntu 24.04 LTS. (CVE-2025-1219)
It was discovered that PHP incorrectly handle certain headers with invalid
name and no colon. An attacker could possibly use this issue to confuse
applications
GHSA
GHSA-rp94-5jm7-95fv: The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a m
ghsa_unreviewed·2024-02-29
CVE-2024-1217 [HIGH] CWE-862 GHSA-rp94-5jm7-95fv: The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a m
The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to deactivate any active plugins.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/changeset/3036466/kali-forms/trunk?contextall=1&old=3029334&old_path=%2Fkali-forms%2Ftrunkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/7be75b0a-737d-4f0d-b024-e207af4573cd?source=cvehttps://plugins.trac.wordpress.org/changeset/3036466/kali-forms/trunk?contextall=1&old=3029334&old_path=%2Fkali-forms%2Ftrunkhttps://www.wordfence.com/threat-intel/vulnerabilities/id/7be75b0a-737d-4f0d-b024-e207af4573cd?source=cve
2024-02-29
Published