cbcvebase.
CVE-2026-3584
published 2026-03-20

CVE-2026-3584: The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
7.24%
93.6th percentile
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
wpchillkali_forms_contact_form_drag-and-drop_builder<= 2.4.9

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is exploitable by unauthenticated attackers targeting the 'form_process' function in Kali Forms plugin for WordPress versions up to and including 2.4.9
  • Detection focus: monitor for abuse of 'call_user_func' triggered via user-supplied keys mapped through 'prepare_post_data' into placeholder storage — look for unexpected function calls originating from WordPress form submission handlers
  • No authentication is required to exploit this RCE; any unauthenticated POST to the Kali Forms form submission endpoint should be treated as suspicious and inspected for payload injection in field keys
  • ·The Nuclei-style template fragment references PHP version extraction via regex on response body — this is an informational fingerprinting extractor, not a direct exploit indicator; treat PHP version disclosure as a supporting signal only

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.