cbcvebase.

Wpchill Kali Forms Contact Form Drag-And-Drop Builder vulnerabilities

7 known vulnerabilities affecting wpchill/kali_forms_contact_form_drag-and-drop_builder.

Total CVEs
7
CISA KEV
0
Public exploits
1
Exploited in wild
2
Severity breakdown
CRITICAL1HIGH2MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-3584P1CRITICALCVSS 9.8ExploitedPoC≤ 2.4.92026-03-20
CVE-2026-3584 [CRITICAL] CWE-94 CVE-2026-3584: The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, an The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes
nvd
CVE-2020-36720P1HIGHCVSS 7.1Exploitedfixed in 2.1.22023-06-07
CVE-2020-36720 [HIGH] CWE-862 CVE-2020-36720: The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, The Kali Forms plugin for WordPress is vulnerable to Authenticated Options Change in versions up to, and including, 2.1.1. This is due to the update_option lacking proper authentication checks. This makes it possible for any authenticated attacker to change (or delete) the plugin's settings.
nvd
CVE-2020-36717P3HIGHCVSS 8.8fixed in 2.1.22023-06-07
CVE-2020-36717 [HIGH] CWE-352 CVE-2020-36717: The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, a The Kali Forms plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.1.1. This is due to incorrect nonce handling throughout the plugin's function. This makes it possible for unauthenticated attackers to access the plugin's administrative functions via forged request granted they can trick a site administ
nvd
CVE-2020-36712P4MEDIUMCVSS 5.3fixed in 2.1.22023-06-07
CVE-2020-36712 [MEDIUM] CWE-862 CVE-2020-36712: The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in vers The Kali Forms plugin for WordPress is vulnerable to Unauthenticated Arbitrary Post Deletion in versions up to, and including, 2.1.1. This is due to the kaliforms_form_delete_uploaded_file function lacking any privilege or user protections. This makes it possible for unauthenticated attackers to delete any site post or page with the id parameter.
nvd
CVE-2024-1218P4MEDIUMCVSS 5.4≤ 2.3.412024-02-29
CVE-2024-1218 [MEDIUM] CWE-862 CVE-2024-1218: The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnera The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized access and modification of data via API due to an inconsistent capability check on several REST endpoints in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with contributor access and h
nvd
CVE-2026-1860P4MEDIUMCVSS 4.3≤ 2.4.82026-02-18
CVE-2026-1860 [MEDIUM] CWE-862 CVE-2026-1860: The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all version The Kali Forms plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.8. This is due to the `get_items_permissions_check()` permission callback on the `/kaliforms/v1/forms/{id}` REST API endpoint only checking for the `edit_posts` capability without verifying that the requesting user has owners
nvd
CVE-2024-1217P4MEDIUMCVSS 4.3≤ 2.3.412024-02-29
CVE-2024-1217 [MEDIUM] CWE-862 CVE-2024-1217: The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnera The Contact Form builder with drag & drop for WordPress – Kali Forms plugin for WordPress is vulnerable to unauthorized plugin deactivation due to a missing capability check on the await_plugin_deactivation function in all versions up to, and including, 2.3.41. This makes it possible for authenticated attackers, with subscriber access or higher, to de
nvd
Wpchill Kali Forms Contact Form Drag-And-Drop Builder vulnerabilities | cvebase