CVE-2026-3584
published 2026-03-20CVE-2026-3584: The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
7.24%
93.6th percentile
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wpchill | kali_forms_contact_form_drag-and-drop_builder | <= 2.4.9 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is exploitable by unauthenticated attackers targeting the 'form_process' function in Kali Forms plugin for WordPress versions up to and including 2.4.9 ↗
- →Detection focus: monitor for abuse of 'call_user_func' triggered via user-supplied keys mapped through 'prepare_post_data' into placeholder storage — look for unexpected function calls originating from WordPress form submission handlers ↗
- →No authentication is required to exploit this RCE; any unauthenticated POST to the Kali Forms form submission endpoint should be treated as suspicious and inspected for payload injection in field keys ↗
- ·The Nuclei-style template fragment references PHP version extraction via regex on response body — this is an informational fingerprinting extractor, not a direct exploit indicator; treat PHP version disclosure as a supporting signal only
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r9mm-2qxw-xjgc: The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2
ghsa_unreviewed·2026-03-21
CVE-2026-3584 [CRITICAL] CWE-94 GHSA-r9mm-2qxw-xjgc: The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
VulnCheck
kaliforms contact_form_builder Improper Control of Generation of Code ('Code Injection')
vulncheck·2026·CVSS 9.8
CVE-2026-3584 [CRITICAL] kaliforms contact_form_builder Improper Control of Generation of Code ('Code Injection')
kaliforms contact_form_builder Improper Control of Generation of Code ('Code Injection')
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Affected: WP Chill Kali Forms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugi
No detection rules found.
Nuclei
WordPress Kali Forms <= 2.4.9 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2026-3584 [CRITICAL] WordPress Kali Forms <= 2.4.9 - Remote Code Execution
WordPress Kali Forms "
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
name: php_version
part: body
group: 1
regex:
- 'PHP Version ([0-9.]+)'
# digest: 4b0a00483046022100e5efad98ee66bbd0f18bb342fbd296ea6b49875339033af36fe317b51af37391022100b09d76892a49677f9e0d9bc1cf433f06ab139cc082ba834ad5e1b6ce19081cd4:922c64590222798bb761d5b6d8e72950
2026-03-20
Published
Exploited in the wild